02-03-2012
Thanks for the input vbe.
The good news is that the root password is not known and not required except in an emergency, so would only be on the console anyway (frequently changed by Security and stored in a file on another server). Administrative updates requiring super-user privilieges are scripted with sudo rules - and the system managers (of which I am one of five) have the wonderful ability to sudo su - to do anything that isn't 'normal'
I'm still not sure what being 'trusted' gives me. It just was already 'trusted' when I got given the opportunity to take it on (i.e. dumped with it) Does untrusted just mean that the passwords are stored (encrypted) in /etc/passwd field 2 so there is a risk that someone might peek and then decipher them? Will I lose the complexity/history rules for passwords or something else perhaps? I will be delighted if it doesn't re-prompt for the old password when I've just typed it in, and as for that generating a next password malarky, no thanks. All users, be they IT or not, hate it too.
We're not public facing, so I'm not too worried about intrusion (dare I trust my network team?) but if my Security Manager will kill me for even suggesting it, it would be good to know what we're actually giving up, given that I'm trying to improve security on an application for him, after all.
Cheers,
Robin
Last edited by rbatte1; 02-03-2012 at 01:30 PM..
Reason: Correcting my grammer
10 More Discussions You Might Find Interesting
1. HP-UX
I was playing with sam and i turned on the Trusted System feature (UX11i).
Now i cant log onto it anymore, i can ping it, but icant telnet, rlogin or login at the login screen.
I dont want to reboot my machine because i am affraid it wont boot and ask for a password. My root password is not... (1 Reply)
Discussion started by: Netghost
1 Replies
2. Solaris
hi i have created a pool using zpool command for my /dev/dsk/c1d0s3 disk.
The poolname is qwertyuiopasdfghjklmnbvcxzzxcvbnmasdfghjklqwertyuiopoiuytrewqasdfghjklkjhgfdsazxcvbnmmnbnbcxczxzassd
ddddvfhfghgjjgjhgkhkljfjlhohihiuyuioyguioyguiowyuiogwyuigwrigywuigyguiyuiogyugiyguioyuyguiowygiuygui... (1 Reply)
Discussion started by: SankarV
1 Replies
3. HP-UX
Is it possible to have shadowed password file without implementing a Trusted System? (3 Replies)
Discussion started by: linuxdude
3 Replies
4. Emergency UNIX and Linux Support
Instead of importing a project/folder as
svn import vlsms/ file:///home/repo/vlsms -m "Initial Upload"
I did
svn import vlsms/ file:///home/repo -m "Initial Upload"
How to undo this import (in a clean way,without trace?)
---------- Post updated at 03:10 AM ---------- Previous update was at... (0 Replies)
Discussion started by: johnbach
0 Replies
5. HP-UX
I have a new box that was set up for me and I want to allow telnet to the box as root. I know that it's not secure but due to the nature of what I test I need an easy and reliable way back in if I've messed up the other connection methods(SSH). This is in a protected lab environment. Eventually... (17 Replies)
Discussion started by: gctaylor
17 Replies
6. Linux
Long story short, there was some sort of corruption with my ide and the script I was working on has been over written with nothing (the file is blank now). The IDE doesn't store a back up from what I know (I'm using notepadd++ in wine lol I know I know I'm addictted to the nppftp sidebar and geany... (1 Reply)
Discussion started by: noPermissions
1 Replies
7. UNIX for Advanced & Expert Users
I thought I would share gmail revert to old look permanently. I am sure I am not the only one annoyed by the new look.
Install Stylish extension
Choose the Stylish UserStyle that you want.
I know The Return of Old Gmail and gmail-b2b both work but I prefer gmail-b2b since I think it looks... (0 Replies)
Discussion started by: cokedude
0 Replies
8. UNIX for Advanced & Expert Users
Hi,
I have deleted a file and commited in CVS.
So, is there any CVS command to revert back that deleted file with existing log messages.
--Thanks in advance
Madhu (1 Reply)
Discussion started by: madhuti
1 Replies
9. UNIX for Dummies Questions & Answers
I have given as:
PS1="Karthick>" in linux.
Now the prompt changed as:
Karthick>
Now I need to get back the default prompt .
How to achieve this?
Thanks in advance (13 Replies)
Discussion started by: karthick nath
13 Replies
10. UNIX for Advanced & Expert Users
Hi,
I need to convert few HP-UX (V 11.31) machines from un-trusted to trusted.
I used the HP SMH to do this on one server. However when I click on "Yes" to proceed with the conversion, I get this error :
The attempt to convert this system to a trusted system failed.
The command return value... (2 Replies)
Discussion started by: anaigini45
2 Replies
LEARN ABOUT SUSE
stap-authorize-signing-cert
STAP-AUTHORIZE-SIGNING-CERT(8) System Manager's Manual STAP-AUTHORIZE-SIGNING-CERT(8)
NAME
stap-authorize-signing-cert - systemtap signing authorization utility
SYNOPSIS
stap-authorize-signing-cert CERTFILE [ DIRNAME ]
DESCRIPTION
The staprun program will load modules for members of the group stapusr if they are signed by a trusted signer. A trusted signer is usually
a systemtap compile server which signs modules when the client (stap-client) specifies the --unprivileged option.
The trustworthiness of a given signer can not be determined automatically without a trusted certificate authority issuing systemtap signing
certificates. This is not practical in everyday use and so, staprun must authenticate servers against its own database of trusted signers.
In this context, establishing a given signer as trusted means adding that signer's certificate to staprun's database of trusted signers.
The stap-authorize-signing-cert program adds the given signing certificate to the given certificate database, making that signer a trusted
server for staprun when using that database.
ARGUMENTS
The stap-authorize-signing-cert program accepts two arguments:
CERTFILE
This is the name of the file containing the certificate of the new trusted signer. For systemtap compile servers, this is the file
named stap.cert which can be found in the server's certificate database. On the server host, for servers started by the stap-server
service, this database can be found in /var/lib/stap-server/.systemtap/ssl/server/. For servers run by other non-root users, this
database can be found in $HOME/.systemtap/ssl/server/. For root users (EUID=0), it can be found in /etc/systemtap/ssl/server.
DIRNAME
This optional argument is the name of the directory containing the certificate database to which the certificate is to be added. If
not specified, the default is /etc/systemtap/staprun/. That is, the default result is that all users on the local host will trust
this signer. Note that this default directory is only writable by root.
SAFETY AND SECURITY
Systemtap is an administrative tool. It exposes kernel internal data structures and potentially private user information. See the stap(1)
manual page for additional information on safety and security.
Systemtap uses Network Security Services (NSS) for module signing and verification. The NSS tool certutil is used for the generation of
certificates. The related certificate databases must be protected in order to maintain the security of the system. Use of the utilities
provided will help to ensure that the proper protection is maintained. staprun will check for proper access permissions before making use
of any certificate database.
FILES
/etc/systemtap/staprun/
staprun's trusted signer certificate database.
/var/lib/stap-server/.systemtap/ssl/server/stap.cert
Signing certificate for servers started by the stap-server service.
SEE ALSO
stap(1), staprun(8), stap-server(8), stap-client(8), NSS, certutil
BUGS
Use the Bugzilla link of the project web page or our mailing list. http://sources.redhat.com/systemtap/, <systemtap@sources.redhat.com>.
Red Hat 2010-07-05 STAP-AUTHORIZE-SIGNING-CERT(8)