Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: HP-UX revert from trusted system to default
Operating Systems HP-UX HP-UX revert from trusted system to default Post 302595431 by rbatte1 on Friday 3rd of February 2012 05:46:22 AM
Old 02-03-2012
HP-UX revert from trusted system to default
All,

I have inherited some software that is running on HP-HX 11.11. The software ofers a GUI login and the user passwords can be either internal to the software, user defined or based on the matching unix account. The problem I have is that the server has been converted to 'trusted' years before I got hands on. The software, of course, only looks in /etc/passwd and is so old that fixes are no longer written. Smilie

The software had a total collapse on 01/01/2012 because of a design flaw.Smilie There is the capability to set a user end date, and the logic failed similarly to the worries everyone had about year 2000. Having never dealt with it before, I soon discovered that no user accounts had a password at all and account sharing was very common. SmilieSmilie So, I crashed headlong into setting up something, at least. We've caught quite a few offenders already now that services are resumedSmilie and I have an lsof based script trace written to react to each login attempt.

Unfortunately the internal password controls allow a single character password (including space) and no history is kept.Smilie We do set more sensible rules for OS telnet users, but I cannot tie the software in without converting back from TCB.


Finally, my questions:-
  • How? Is it just a sam action?
  • What do I lose?
  • What do I risk?

I've trawled the archives, but nothing leaps out. Perhaps it is an odd requirement, but any guidance would be appreciated. Smilie



Many thanks, in advance,
Robin
Liverpool/Blackburn
UK Smilie
 

10 More Discussions You Might Find Interesting

1. HP-UX

Trusted system: Please Help.

I was playing with sam and i turned on the Trusted System feature (UX11i). Now i cant log onto it anymore, i can ping it, but icant telnet, rlogin or login at the login screen. I dont want to reboot my machine because i am affraid it wont boot and ask for a password. My root password is not... (1 Reply)
Discussion started by: Netghost
1 Replies

2. Solaris

need zpool to revert...

hi i have created a pool using zpool command for my /dev/dsk/c1d0s3 disk. The poolname is qwertyuiopasdfghjklmnbvcxzzxcvbnmasdfghjklqwertyuiopoiuytrewqasdfghjklkjhgfdsazxcvbnmmnbnbcxczxzassd ddddvfhfghgjjgjhgkhkljfjlhohihiuyuioyguioyguiowyuiogwyuigwrigywuigyguiyuiogyugiyguioyuyguiowygiuygui... (1 Reply)
Discussion started by: SankarV
1 Replies

3. HP-UX

shadowed password file on non-trusted system?

Is it possible to have shadowed password file without implementing a Trusted System? (3 Replies)
Discussion started by: linuxdude
3 Replies

4. Emergency UNIX and Linux Support

Revert SVN import

Instead of importing a project/folder as svn import vlsms/ file:///home/repo/vlsms -m "Initial Upload" I did svn import vlsms/ file:///home/repo -m "Initial Upload" How to undo this import (in a clean way,without trace?) ---------- Post updated at 03:10 AM ---------- Previous update was at... (0 Replies)
Discussion started by: johnbach
0 Replies

5. HP-UX

Enable telnet as root to 11.31 non-trusted system?

I have a new box that was set up for me and I want to allow telnet to the box as root. I know that it's not secure but due to the nature of what I test I need an easy and reliable way back in if I've messed up the other connection methods(SSH). This is in a protected lab environment. Eventually... (17 Replies)
Discussion started by: gctaylor
17 Replies

6. Linux

Is it possible to revert a file after overwriting it ?

Long story short, there was some sort of corruption with my ide and the script I was working on has been over written with nothing (the file is blank now). The IDE doesn't store a back up from what I know (I'm using notepadd++ in wine lol I know I know I'm addictted to the nppftp sidebar and geany... (1 Reply)
Discussion started by: noPermissions
1 Replies

7. UNIX for Advanced & Expert Users

gmail revert to old look permanently

I thought I would share gmail revert to old look permanently. I am sure I am not the only one annoyed by the new look. Install Stylish extension Choose the Stylish UserStyle that you want. I know The Return of Old Gmail and gmail-b2b both work but I prefer gmail-b2b since I think it looks... (0 Replies)
Discussion started by: cokedude
0 Replies

8. UNIX for Advanced & Expert Users

CVS command to revert deleted files

Hi, I have deleted a file and commited in CVS. So, is there any CVS command to revert back that deleted file with existing log messages. --Thanks in advance Madhu (1 Reply)
Discussion started by: madhuti
1 Replies

9. UNIX for Dummies Questions & Answers

Need to revert default prompt in Linux after setting PS1 command

I have given as: PS1="Karthick>" in linux. Now the prompt changed as: Karthick> Now I need to get back the default prompt . How to achieve this? Thanks in advance (13 Replies)
Discussion started by: karthick nath
13 Replies

10. UNIX for Advanced & Expert Users

Converting system to trusted

Hi, I need to convert few HP-UX (V 11.31) machines from un-trusted to trusted. I used the HP SMH to do this on one server. However when I click on "Yes" to proceed with the conversion, I get this error : The attempt to convert this system to a trusted system failed. The command return value... (2 Replies)
Discussion started by: anaigini45
2 Replies

LEARN ABOUT OSF1

ifaccess.conf

ifaccess.conf(4)					     Kernel Interfaces Manual						  ifaccess.conf(4)

NAME

       ifaccess.conf - Interface access filter configuration file

DESCRIPTION

       The  /etc/ifaccess.conf file is an optional system file that specifies access filter entries for network interfaces.  Interface access fil-
       tering provides a mechanism for detecting and preventing IP spoofing attacks. (See CERT Advisory CA-95:01).  The  source  addresses  of	IP
       input packets are checked against interface access filter entries; packets receive the action associated with the first matching entry. The
       /etc/ifaccess.conf file is read by the /usr/sbin/ifconfig command when called with the filter option.

       The /etc/ifaccess.conf file is defined as a Context-Dependent Symbolic Link (CDSL), and must be maintained as such.  See the System  Admin-
       istration manual for more information.

       Lines in /etc/ifaccess.conf may be comment lines beginning with a number sign (#), blank lines, or access filter entries with the following
       format: interface_id address mask action

       In the preceding format: Specifies the network interface for which this entry applies.  Is specified as a hostname,  network  name,  or	an
       Internet  address in the standard dotted-decimal notation.  Specifies which bits of the address are significant.  The mask can be specified
       as a single hexadecimal number beginning with 0x, in the standard Internet dotted-decimal notation, or beginning with a name. The mask con-
       tains 1s (ones) for the bit positions in address that are significant.  Specifies an entry to match packets against.  The following actions
       are allowed: permit, deny, or denylog.  Packets matching an entry with a permit action are passed to higher  levels;  packets  matching	an
       entry  with  a deny action are dropped; packets matching an entry with a denylog action are dropped, with a descriptive message sent to the
       system error logging facility.

       To prevent host spoofing, you must determine which networks are not secure and which interfaces are connected to those networks.  For exam-
       ple,  if  a  host is connected to a secure, trusted network on one interface and to non-trusted (non-secure) network on a second interface,
       you need to add an entry for the non-trusted network interface in the host's ifaccess.conf file.  Interfaces connected to trusted  networks
       do not require an entry in the ifaccess.conf file.

       Use the netstat(1) command to display the current access filters for the interface.

NOTES

       Some  machines  send IP broadcast messages to the alternate all-zeros address instead of the all-ones address. This generates the following
       error: ipintr: IP addr 0.0.0.0 on interface: access denied You should consider this error equivalent to the  following  error:  ipintr:	IP
       addr  255.255.255.255  on interface: access denied Use the tcpdump command to capture and examine the IP packets in order to find out about
       the machine sending them.

RESTRICTIONS

       An interface access filter entry mask must have at least as many significant bits set as the address.

       Interface access filters have an implicit default permit all entry at the end.

       Interface access filter entries are assigned in the order in which they appear in /etc/ifaccess.conf, with packets receiving the action	of
       the first entry that matches.

       At most IFAF_MAXENTRIES access filter entries may be assigned for each network interface. (See the /usr/sys/include/net/if.h file.)

       A  default  deny all entry may be configured by adding an entry similar to the following as the last entry for interface xyz0 in /etc/ifac-
       cess.conf file: xyz0 0.0.0.0 0.0.0.0 deny

       Only address family inet is supported.

EXAMPLES

       The following example shows the ifaccess.conf files for two hosts, Host A and Host B, on a network; trusted is the trusted network.  Host A
       connects to the trusted network via the fza0 interface and connects to an untrusted network, insecure1, via the ln0 interface.

       Host A's ifaccess.conf file includes the following entry: ln0 trusted 255.255.255.0 deny 	 # deny all packets from hosts that
					       # claim they originated from the
					       #  secure  network.   Host B connects to the trusted network via the fza0 interface; connects to an
       untrusted network, insecure1, via the ln0 interface; and connects to another untrusted network, insecure2, via the ln1 interface.  Host B's
       ifaccess.conf file includes the following entries: ln0 trusted 255.255.255.0 deny	  # deny all packets from hosts that
					       # claim they originated from the
					       # secure network.  ln1 trusted 255.255.255.0 deny	  # deny all packets from hosts that
					       # claim they originated from the
					       #  secure  network.   Note that there is no entry in the ifaccess.conf file for the trusted network
       device, fza0.  Only the untrusted network interfaces are configured with ifaccess.conf.

FILES

       Specifies the path name for the file.  Network interface structures header file.  Internet address and version structures header file.

RELATED INFORMATION

       Commands: netstat(1), ifconfig(8), syslogd(8), tcpdump(8).  delim off

																  ifaccess.conf(4)
All times are GMT -4. The time now is 12:31 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy