Jim Barlow wrote:
>
> We have recently set up a couple of new HP D250 machines, running HPUX 10.01,
> as AFS file servers. I noticed that root's passwd was stored in the
> /etc/passwd file, so I stated looking at the security options in sam.
> I made the machine a trusted system, which will store the passwords in
> a database. I was thinking that it would be similar to Solaris storing
> the passwords in the /etc/shadow file. Once I had done this I could not
> log into the console as root. I had to reboot into single user mode and
> go back to using the HPUX version of login. Evidently the Transarc modified
> version of login does not look in the database, which was located in the
> /tcb/files/auth directory (no /etc/shadow file). Has anybody else run into
> this problem? And if so, how can we use Transarc's login, getting a token
> when we log in, and still be able to login as root?
>
> --
> James J. Barlow
> System Engineer, Advanced Computing Group
> National Center for Supercomputing Applications
> 605 East Springfield Avenue
> Champaign, IL 61820 Voice : (217)244-6403
> [EMAIL PROTECTED] Cell : (217)369-8349
> Fax : (217)244-1987
> http://www.ncsa.uiuc.edu/People/jbarlow
Well it's been a few years (3 to be exact) since I used AFS with
HP-UX. As a matter of fact, HP-UX was
just at version 8.0, last time I touched it. Anyway, at that time,
HP-UX had shadowed password files.
I can't remember where they were, but there wasn't a SAM interface to
activate it. It was all
command line driven.
With the "trusted" option, it looks like you activated TCB (Trusted
Computing Base) functionality.
(note the /tcb pathname). TCB is like a more strict implementation of
tripwire. The later, keeps a
database of critical system files/programs (checksums, etcA) and tells
you if something changed.
The former typically does this and disables (usually via a chmod -x) any
changed files from executing.
(I have seen this exact scenario played out on an AIX 3.2.5 box before,
that's why I'm mentioning it).
Did you look at the perms Transarc login after you threw the switch?
Anyway, I would have thought that Transarc's program would have used the
POSIX interfaces to do
all the getpasswd type of stuff, rather than directly looking at
/etc/passwd. (one never knows however).
Regardless, I would press HP to see if they are shipping CDE's PAM with
HPUX 10. That would clearly
be the best route to pursue. (No mucking with replacing system
binaries!)
--
Chris Cowan PSW Technologies
[EMAIL PROTECTED] Distributed Computing Services
(512) 343-6666 x339 9050 Capital of Texas Hwy. North
(512) 345-4976 (fax) Austin, TX 78759
http://www.pswtech.com
