Login or Register to Ask a Question and Join Our Community


HP-UX

HP-UX revert from trusted system to default

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems HP-UX HP-UX revert from trusted system to default
# 8  
Old 02-06-2012
Quote:
I'm still not sure what being 'trusted' gives me. It just was already 'trusted' when I got given the opportunity to take it on (i.e. dumped with it) Does untrusted just mean that the passwords are stored (encrypted) in /etc/passwd field 2 so there is a risk that someone might peek and then decipher them? Will I lose the complexity/history rules for passwords or something else perhaps? I will be delighted if it doesn't re-prompt for the old password when I've just typed it in, and as for that generating a next password malarky, no thanks. All users, be they IT or not, hate it too.
To read about "untrused", just see "man passwd". You will lose complexity and history rules. The "root" user will not need to know an old password. Passwords will be stored encrypted in /etc/passwd, but there is no direct unencryption method beyond brute force by a "root" user.

Keep some sessions logged in as "root" if you make this change. I recall that all existing user passwords were lost during the change from "trusted" to "untrusted" and that every user needed a password reset. Don't know if this has been fixed. HP Openview stopped working and need a re-install.

The "sudo" command is not a HP-UX command. It is 3rd-party software which administrators elect to use in order to bypass "trusted" security. No guarantee that it would continue to work unchanged.

I can't see how changing from "trusted" to "untrusted" will fix your application problem.

As others advise, make a full Disaster Recovery backup before considering this change.
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Converting system to trusted

Hi, I need to convert few HP-UX (V 11.31) machines from un-trusted to trusted. I used the HP SMH to do this on one server. However when I click on "Yes" to proceed with the conversion, I get this error : The attempt to convert this system to a trusted system failed. The command return value... (2 Replies)
Discussion started by: anaigini45
2 Replies

2. UNIX for Dummies Questions & Answers

Need to revert default prompt in Linux after setting PS1 command

I have given as: PS1="Karthick>" in linux. Now the prompt changed as: Karthick> Now I need to get back the default prompt . How to achieve this? Thanks in advance (13 Replies)
Discussion started by: karthick nath
13 Replies

3. UNIX for Advanced & Expert Users

CVS command to revert deleted files

Hi, I have deleted a file and commited in CVS. So, is there any CVS command to revert back that deleted file with existing log messages. --Thanks in advance Madhu (1 Reply)
Discussion started by: madhuti
1 Replies

4. UNIX for Advanced & Expert Users

gmail revert to old look permanently

I thought I would share gmail revert to old look permanently. I am sure I am not the only one annoyed by the new look. Install Stylish extension Choose the Stylish UserStyle that you want. I know The Return of Old Gmail and gmail-b2b both work but I prefer gmail-b2b since I think it looks... (0 Replies)
Discussion started by: cokedude
0 Replies

5. Linux

Is it possible to revert a file after overwriting it ?

Long story short, there was some sort of corruption with my ide and the script I was working on has been over written with nothing (the file is blank now). The IDE doesn't store a back up from what I know (I'm using notepadd++ in wine lol I know I know I'm addictted to the nppftp sidebar and geany... (1 Reply)
Discussion started by: noPermissions
1 Replies

6. HP-UX

Enable telnet as root to 11.31 non-trusted system?

I have a new box that was set up for me and I want to allow telnet to the box as root. I know that it's not secure but due to the nature of what I test I need an easy and reliable way back in if I've messed up the other connection methods(SSH). This is in a protected lab environment. Eventually... (17 Replies)
Discussion started by: gctaylor
17 Replies

7. Emergency UNIX and Linux Support

Revert SVN import

Instead of importing a project/folder as svn import vlsms/ file:///home/repo/vlsms -m "Initial Upload" I did svn import vlsms/ file:///home/repo -m "Initial Upload" How to undo this import (in a clean way,without trace?) ---------- Post updated at 03:10 AM ---------- Previous update was at... (0 Replies)
Discussion started by: johnbach
0 Replies

8. HP-UX

shadowed password file on non-trusted system?

Is it possible to have shadowed password file without implementing a Trusted System? (3 Replies)
Discussion started by: linuxdude
3 Replies

9. Solaris

need zpool to revert...

hi i have created a pool using zpool command for my /dev/dsk/c1d0s3 disk. The poolname is qwertyuiopasdfghjklmnbvcxzzxcvbnmasdfghjklqwertyuiopoiuytrewqasdfghjklkjhgfdsazxcvbnmmnbnbcxczxzassd ddddvfhfghgjjgjhgkhkljfjlhohihiuyuioyguioyguiowyuiogwyuigwrigywuigyguiyuiogyugiyguioyuyguiowygiuygui... (1 Reply)
Discussion started by: SankarV
1 Replies

10. HP-UX

Trusted system: Please Help.

I was playing with sam and i turned on the Trusted System feature (UX11i). Now i cant log onto it anymore, i can ping it, but icant telnet, rlogin or login at the login screen. I dont want to reboot my machine because i am affraid it wont boot and ask for a password. My root password is not... (1 Reply)
Discussion started by: Netghost
1 Replies
Login or Register to Ask a Question

LEARN ABOUT OSF1

ifaccess.conf

ifaccess.conf(4)					     Kernel Interfaces Manual						  ifaccess.conf(4)

NAME

       ifaccess.conf - Interface access filter configuration file

DESCRIPTION

       The  /etc/ifaccess.conf file is an optional system file that specifies access filter entries for network interfaces.  Interface access fil-
       tering provides a mechanism for detecting and preventing IP spoofing attacks. (See CERT Advisory CA-95:01).  The  source  addresses  of	IP
       input packets are checked against interface access filter entries; packets receive the action associated with the first matching entry. The
       /etc/ifaccess.conf file is read by the /usr/sbin/ifconfig command when called with the filter option.

       The /etc/ifaccess.conf file is defined as a Context-Dependent Symbolic Link (CDSL), and must be maintained as such.  See the System  Admin-
       istration manual for more information.

       Lines in /etc/ifaccess.conf may be comment lines beginning with a number sign (#), blank lines, or access filter entries with the following
       format: interface_id address mask action

       In the preceding format: Specifies the network interface for which this entry applies.  Is specified as a hostname,  network  name,  or	an
       Internet  address in the standard dotted-decimal notation.  Specifies which bits of the address are significant.  The mask can be specified
       as a single hexadecimal number beginning with 0x, in the standard Internet dotted-decimal notation, or beginning with a name. The mask con-
       tains 1s (ones) for the bit positions in address that are significant.  Specifies an entry to match packets against.  The following actions
       are allowed: permit, deny, or denylog.  Packets matching an entry with a permit action are passed to higher  levels;  packets  matching	an
       entry  with  a deny action are dropped; packets matching an entry with a denylog action are dropped, with a descriptive message sent to the
       system error logging facility.

       To prevent host spoofing, you must determine which networks are not secure and which interfaces are connected to those networks.  For exam-
       ple,  if  a  host is connected to a secure, trusted network on one interface and to non-trusted (non-secure) network on a second interface,
       you need to add an entry for the non-trusted network interface in the host's ifaccess.conf file.  Interfaces connected to trusted  networks
       do not require an entry in the ifaccess.conf file.

       Use the netstat(1) command to display the current access filters for the interface.

NOTES

       Some  machines  send IP broadcast messages to the alternate all-zeros address instead of the all-ones address. This generates the following
       error: ipintr: IP addr 0.0.0.0 on interface: access denied You should consider this error equivalent to the  following  error:  ipintr:	IP
       addr  255.255.255.255  on interface: access denied Use the tcpdump command to capture and examine the IP packets in order to find out about
       the machine sending them.

RESTRICTIONS

       An interface access filter entry mask must have at least as many significant bits set as the address.

       Interface access filters have an implicit default permit all entry at the end.

       Interface access filter entries are assigned in the order in which they appear in /etc/ifaccess.conf, with packets receiving the action	of
       the first entry that matches.

       At most IFAF_MAXENTRIES access filter entries may be assigned for each network interface. (See the /usr/sys/include/net/if.h file.)

       A  default  deny all entry may be configured by adding an entry similar to the following as the last entry for interface xyz0 in /etc/ifac-
       cess.conf file: xyz0 0.0.0.0 0.0.0.0 deny

       Only address family inet is supported.

EXAMPLES

       The following example shows the ifaccess.conf files for two hosts, Host A and Host B, on a network; trusted is the trusted network.  Host A
       connects to the trusted network via the fza0 interface and connects to an untrusted network, insecure1, via the ln0 interface.

       Host A's ifaccess.conf file includes the following entry: ln0 trusted 255.255.255.0 deny 	 # deny all packets from hosts that
					       # claim they originated from the
					       #  secure  network.   Host B connects to the trusted network via the fza0 interface; connects to an
       untrusted network, insecure1, via the ln0 interface; and connects to another untrusted network, insecure2, via the ln1 interface.  Host B's
       ifaccess.conf file includes the following entries: ln0 trusted 255.255.255.0 deny	  # deny all packets from hosts that
					       # claim they originated from the
					       # secure network.  ln1 trusted 255.255.255.0 deny	  # deny all packets from hosts that
					       # claim they originated from the
					       #  secure  network.   Note that there is no entry in the ifaccess.conf file for the trusted network
       device, fza0.  Only the untrusted network interfaces are configured with ifaccess.conf.

FILES

       Specifies the path name for the file.  Network interface structures header file.  Internet address and version structures header file.

RELATED INFORMATION

       Commands: netstat(1), ifconfig(8), syslogd(8), tcpdump(8).  delim off

																  ifaccess.conf(4)