TRUSTED SYSTEM – UNIX

1. To convert the system into trusted system the command is :
/usr/lbin/tsconvert

After converting it will create a directory /tcb/files/auth/*/*
Note: before converting into trusted system you have to modify /etc/nsswitch.conf file. In that file “passwd compact “ has to be changed into “passwd files”

To unconvert the trusted system with the following command:
/usr/lbin/tsconvert –r

Protected password database contains the following entries for the users:

username and userid
encrypted password
account owner
boot flag – whether a user can boot to single user mode or not
audit id and audit flag ( whether audit on or not )
min. time between password change
password max. length
password expiration time, after which password must be change
password lifetime, after which the account is locked
time of last successful and unsuccessful password change
absolute time ( date) when the account will expire
max. time allowed between logins before account is locked
no. of days before expiration when warning will appeared
whether passwords are user generated or system generated
whether triviality check is performed on user generated password
type of system generated passwords
whether null passwords are allowed for this account
user id of the last person to change the password, if not the account owner
time periods when the accounts can be used for login
the terminal or remote host associated with the last successful and unsuccessful
logins to this account
no. of unsuccessful login attempts; cleared upon successful logins
max. no. of login attempts allowed before account is locked

2. The same locking policy applicable to with shell ftp users and as well as ftp users without shell.

3.

Default password format policies:

System generates pronounceable – YES
System generates characters – NO
System generates letters only – YES
User specifies – YES

Default User Specified password:
Enable restricted password – NO
Allow Null password – NO
System generates password Length – 8 characters

Default Password Aging policies:

Password Aging – ENABLE
Time between Password change ( days ) – 0
Password expiration time (days) – 182
Password expiration warning time (days) – 7
Password file expiration (days) – 196

General user account policies:
Account life time ( days) – NONE ( infinite)
Maximum period of Inactivity on account (days) – NONE
Unsuccessful login retries allow – 3
Authorize user to boot to single user mode state – NO

4.

These above default policy parameters can be modified globally in the database as follows:

/usr/lbin/modprdef –m

i.e /usr/lbin/modprdef –m umaxlntr=20

NOTE: – for more details ref. ‘Modprdef’ Man pages.

getprpw (1M) getprpw (1M)
NAME
getprpw – display user’s protected password database
USAGE
/usr/lbin/getprpw [-r] [-m option[,option]] logonid
OPTIONS
-r raw display of the protected database field values
-m display the value of the option given. If -m is not specified, all protected database
fields will be displayed.
Boolean values are returned as YES, NO, or DFT (default).
A -1 value indicates that the field is undefined.
The following values will be displayed or can be selected
using the -m option:
uid logonid’s uid
bootpw boot authorization flag
audid audit id
audflg audit flag
mintm minimum time allowed between password changes
exptm password expiration time
lftm password lifetime
acctexp account expiration time
spwchg time of last successful password change
upwchg time of last unsuccessful password change
llog maximum time allowed between logins
expwarn password expiration warning time
usrpick user allowed to pick passwords
nullpw null passwords allowed
maxpwln maximum password length allowed
rstrpw restricted passwords – checked for triviality
syspnpw system generates pronounceable passwords
admnum administrative number assigned
syschpw system generates character only passwords
sysltpw system generates letter only passwords
timeod time of day allowed for login
slogint time of last successful login
ulogint time of last unsuccessful login
sloginy terminal of last successful login
uloginy terminal of last unsuccessful login
culogin consecutive number of unsuccessful logins
umaxlntr maximum number of unsuccessful logins allowed
alock administrative lock

lockout bit string representing reason account is disabled
1 = true, 0 = false
bit 1 password lifetime exceeded
2 time between logins exceeded
3 account absolute lifetime exceeded
4 unsuccessful logon attempts exceeded
5 null password set but not allowed
6 administrative lock
7 password is “*”

RETURN VALUES
0 success
1 user not privileged
2 incorrect use
3 protected database not found for user

NOTE. This is an undocumented command and not supported for direct use by
end users.

This documentation has been gathered from multiple sources, inferred or
developed empirically. No warranty is provided for its accuracy,
completeness or use.

—————————————————————————

getprdef (1M) getprdef (1M)
NAME
getprdef – display default database
USAGE
/usr/lbin/getprdef -r [-m option],option] [-b] [-p] [-t]
OPTIONS
-r raw display of the protected database field values
-m display the value of the option given. If -m is not specified,
all protected database fields will be displayed.
-b display password defaults
-p display time defaults
-t display login defaults
Boolean values are returned as YES, NO, or DFT (default).
A value of -1 indicates that the field is undefined.
The following values will be displayed or can be selected
using the -m option:
bootpw boot authorization flag
mintm minimum time allowed between password changes
exptm password expiration time
lftm password lifetime
llog maximum time allowed between logins
expwarn password expiration warning time
usrpick user allowed to pick passwords
nullpw null passwords allowed
maxpwln maximum password length allowed
rstrpw restricted passwords – checked for triviality
syspnpw system generates pronounceable passwords
syschpw system generates character only passwords
sysltpw system generates letter only passwords
umaxlntr max number of consecutive unsuccessful logins allowed
tmaxlntr max number of consecutive unsuccessful logins allowed
per terminal
dlylntr time delay between unsuccessful login attempts
lntmout login timeout in seconds
RETURN VALUES
0 success
1 user not privileged
2 incorrect use
NOTE. This is an undocumented command and not supported for direct use by

end users.
—————————————————————————

modprpw (1M) modprpw (1M)
NAME
modprpw – modify a user’s protected database
USAGE
/usr/lbin/modprpw [-A][-E|V][-e|v][-k][-w][-x]
-[m opt=value[,opt=value]] logonid
modprpw updates the user Protected Database options with the values
specified.
It is the users responsibility to validate all options and values before
execution.
Any fields not specified remain unchanged in the database.
OPTIONS
-A Add a new user. Requires -m uid=value and returns the admin
number the user must use as a password to login the first time.
Logonid must not already exist and can not be used with
-k, -w or -x options.
-E Expire all passwords by removing the last successful login time
from all users. All users will need to enter new passwords at
next login. Loginid or any other options are not valid with
this option.
-e Expire the password of a specific logonid.
-k Unlock or re-enable a specific logonid.
-m Modify option specified below. If an invalid option is provided
“invalid-opt” will be displayed and processing terminated.
-m options are valid only with -A (add new user) or
-k (unlock user).
Boolean values are specified as YES, NO or DFT (default).
The value=-1 indicates that the value in the database is to be
removed, and the system default value used.
Options:
uid=value logonid’s uid
bootpw=YES/NO boot authorization flag
audid=value audit id
audflg=value audit flag
mintm=value minimum days allowed between password changes
exptm=value password expiration time in days
lftm=value password lifetime in days
acctexp=value account expiration in calendar date format
llog=value maximum time allowed between logins in days
expwarn=value password expiration warning time in days
usrpick=YES/NO/DFT user allowed to pick passwords
nullpw=YES/NO/DFT null passwords allowed (NOT RECOMMENDED!)
maxpwln=value maximum password length allowed
rstrpw=YES/NO/DFT restricted passwords – checked for triviality
syspnpw=YES/NO/DFT system generates pronounceable passwords
syschpw=YES/NO/DFT system generates character only passwords
sysltpw=YES/NO/DFT system generates letter only passwords
admnum=value administrative number assigned
timeod=value time of day allowed for login
umaxlntr=value maximum number of unsuccessful logins allowed
alock=YES/NO/DFT administrative lock

The format of the timeod value is:
key0Starttime-Endtime,key1Starttime-Endtime,…
keynStarttime-Endtime
key has the value:
Mo – Monday Sa – Saturday
Tu – Tuesday Su – Sunday
We – Wednesday
Th – Thursday Any – all days
Fr – Friday Wk – Monday – Friday
Starttime and Endtime are hhmm 24 hour format times
where hh = 00 – 23, and mm = 00 – 59

-V Start password aging for all users by setting the last successful
login time to the curent time. No logonid or other arguments are
allowed.

-w Change the logonid’s encrypted password. Not valid with any other
option.

Use: -w encrypted_password
-x Remove user’s password and return an admin number the user must
logon with and pick a new password. Not valid with any other
option.
RETURN VALUES
0 success
1 user not privileged
2 incorrect use
3 protected database not found for logonid
4 can not change entry

NOTE. This is an undocumented command and not supported for direct use by

end users.
This documentation has been gathered from multiple sources, inferred or
developed empirically. No warranty is provided for its accuracy,
completeness or use.

—————————————————————————

modprdef (1M) modprdef (1M)
NAME
modprdef – modify default database
USAGE
/usr/lbin/modprdef -m option=value[,option=value]
modprdef updates the Default Database options with the values specified. It is the users responsibility to validate all options and values before execution.
Any fields not specified remain unchanged in the database.
OPTIONS
-m Modify option specified below. If an invalid option is provided
“invalid-opt” will be displayed and processing terminated.
Boolean values are specified as YES, NO.
Options:
bootpw=YES/NO boot authorization flag
mintm=value minimum days allowed between password changes
exptm=value password expiration time in days
lftm=value password lifetime in days
llog=value maximum time allowed between logins in days
expwarn=value password expiration warning time in days
usrpick=YES/NO user allowed to pick passwords
nullpw=YES/NO null passwords allowed (NOT RECOMMENDED!)
maxpwln=value maximum password length allowed
rstrpw=YES/NO restricted passwords – checked for triviality
syspnpw=YES/NO system generates pronounceable passwords
syschpw=YES/NO system generates character only passwords
sysltpw=YES/NO system generates letter only passwords
umaxlntr=value maximum number of unsuccessful logins allowed
tmaxlntr=value maximum number of consecutive unsuccessful
logins allowed per terminal
dlylntr=value time delay between unsuccessful login attempts
lntmout=value login timeout in seconds
RETURN VALUES
0 success
1 user not privileged
2 incorrect use
NOTE. This is an undocumented command and not supported for direct use by

end users.
This documentation has been gathered from multiple sources, inferred or
developed empirically. No warranty is provided for its accuracy,
completeness or use.

http://docs.hp.com/hpux/onlinedocs/B2355-90691/B2355-90691.html

http://docs.hp.com/hpux/onlinedocs/B2355-90691/B2355-90691.html

5. When you are converting into trusted system all the passwords will be expired. Your have to set the new passwords.

To check the consistency of the etc/password and trusted system password database, use the command:
/usr/sbin/authck

for more details see the man page of authck.

6. When system lockup(deactivate) users password, to activate the user password as follows:

from command line:

/usr/lbin/modprpw –k

with this command you can unlock the user a/c.

or
==

go to sam
select users
select the particular user to activate

go to Actions
reset the password, when reset the password system will automatically generates a new password, either you take that password or if you want to change the system generated password, select the modify option and first it will ask old password (system generated password) then choose option pick a password, and what ever password you want.

6. How to change the default options on the command level?
Refer man pages of “modpwdef”

7. Create a new user in the trusted system, when login first time what happens?

You can create users in trusted system, but you have to set a password for the user.

8. user cannot give the password.
User can change his password.

Note: Username and password should not be identical.

9. Ensure that 2 or 3 root logins are available while running tsconvert

10. Unsuccessful login details can be available in this path:
/var/adm/syslog/syslog.log

11. rlogin relevant questions?

You can login from other systems to trusted system by using rlogin.
If you failed to max. no of unsuccessfull logins – the a/c will be disable