All,
I have inherited some software that is running on HP-HX 11.11. The software ofers a GUI login and the user passwords can be either internal to the software, user defined or based on the matching unix account. The problem I have is that the server has been converted to 'trusted' years before I got hands on. The software, of course, only looks in /etc/passwd and is so old that fixes are no longer written.
The software had a total collapse on 01/01/2012 because of a design flaw.
There is the capability to set a user end date, and the logic failed similarly to the worries everyone had about year 2000. Having never dealt with it before, I soon discovered that no user accounts had a password at all and account sharing was very common.
So, I crashed headlong into setting up something, at least. We've caught quite a few offenders already now that services are resumed
and I have an
lsof based script trace written to react to each login attempt.
Unfortunately the internal password controls allow a single character password (including space) and no history is kept.
We do set more sensible rules for OS telnet users, but I cannot tie the software in without converting back from TCB.
Finally, my questions:-
- How? Is it just a sam action?
- What do I lose?
- What do I risk?
I've trawled the archives, but nothing leaps out. Perhaps it is an odd requirement, but any guidance would be appreciated.
Many thanks, in advance,
Robin
Liverpool/Blackburn
UK