Menu
▾
▴
Re: [webmin-l] HP-UX Trusted Mode with Webmin
|
From: flq <fl...@ca...> - 2006-10-24 18:32:55
|
Hi jamie,
More info on Trusted Mode in HP-UX
1 - This is the content of "/tcb/files/auth/system/default"
which regulates parameters when not modified at user
creation.
default:\
:d_name=default:\
:d_boot_authenticate@:\
:u_pwd=*:\
:u_owner=root:u_auditflag#-1:\
:u_minchg#86400:u_maxlen#20:u_exp#10368000:u_life#11059200:\
:u_llogin#7776000:u_pw_expire_warning#432000:u_pswduser=root:u_pickpw:\
:u_genpwd@:u_restrict:u_nullpw@:u_genchars@:\
:u_genletters@:u_suclog#0:u_unsuclog#0:u_maxtries#5:\
:u_lock:\
:t_logdelay#2:t_maxtries#10:t_login_timeout#60:\
:chkent:
2 - This is the content of "/tcb/files/auth/t/test" (for a
test user)
test:u_name=test:u_id#6668:\
:u_pwd=MY_ENCRYPTED_PASSWORD_GOES_HERE:\
:u_auditid#22:\
:u_auditflag#1:\
:u_succhg#1161187967:u_unsucchg#1161187183:u_suclog#1161187976:u_lock@:\
:chkent:
These data files might be difficult to parse and HP does not
recommend editing these directly.
Instead, using the "/usr/lbin/modprpw" and
"/usr/lbin/getprpw" which in turn are not actually
"officially" supported by HP, will be safer.
The reason for locked account is specified in the user's
protected password file. e.g. /tcb/files/auth/t/test
Issueing this command "/usr/lbin/getprpw -l test" yields the
following result:
uid=6668, bootpw=NO, audid=22, audflg=1, mintm=-1,
maxpwln=-1, exptm=-1, lftm=-1, spwchg=Wed Oct 18 12:12:47
2006, upwchg=Wed Oct 18 11:59:43 2006, acctexp=-1, llog=-1,
expwarn=-1, usrpick=DFT, syspnpw=DFT, rstrpw=DFT,
nullpw=DFT, admnum=-1, syschpw=DFT, sysltpw=DFT, timeod=-1,
slogint=Wed Oct 18 12:12:56 2006, ulogint=-1, sloginy=-1,
culogin=-1, uloginy=-1, umaxlntr=-1, alock=YES,
lockout=0000010
The last field (lockout=0000010) is a flag and the meaning
of each bit is explained in "man getprpw"
This command "/usr/lbin/getprpw -m lockout -l test" yields
this string:
lockout=0000010
/quoting "man getprpw"
returns the reason for a lockout in a "bit" valued
string, where 0 = condition not present, 1 is
present. The position, left to right represents:
1 past password lifetime
2 past last login time (inactive account)
3 past absolute account lifetime
4 exceeded unsuccessful login attempts
5 password required and a null password
6 admin lock
7 password is a *
/end of quoting
In order to reset the password, Webmin does not need to
"know" where the original password is stored and actually
should not be able to retrieve it. It is a one-way hash.
If the user has his/her account locked up, too bad, new
password required. This is according to corporate policies.
Using this command: "/usr/lbin/modprpw -x -l test" will
reset the password of the test user but prints it on stdout.
In the code I modified, I redirected the stdout to a temp
file so I can mail it afterward. Also that command will
force the user to change his/her password at next login...so
2 birds with 1 stone.
One other thing, is it possible in the near future to
cluster different Unix platforms for, lets say, Users and
Groups module?
I would like to have one centralized server or cluster of
servers for HelpDesk to connect to and manage users on any
Unix platform instead of having to login to each flavor.
Hope this helps and sorry for the length...
TIA
Francis Le Quellec
> On 24/Oct/2006 09:18 flq wrote ..
> > Hi Jamie,
> >
> > thanks for the reply.
> >
> > I will have an HP Visualize Workstation running HP-UX
> > 11i next Monday. With root access thru ssh.
> >
> > In the mean time, here is the mods I did in some Perl
> > script in order to support some functions that I have to
> > implement.
> > In "useradmin/userlib.pl"
> >
> > I added these lines of code:
> >
> > elsif ($pft == 99) {
> > # Just invoke the useradd command
> > &system_logged("useradd -u $_[0]->{'uid'} -g
> > $_[0]->{'gid'} -c "$_[0]->{'real'}" -d $_[0]->{'home
> > '} -s $_[0]->{'shell'} $_[0]->{'user'}");
> > # And set the password
> > &system_logged("/usr/lbin/modprpw -x -l
> > $_[0]->{'user'} >/opt/webmin/tmp.p 2>&1");
> > &system_logged("/usr/bin/cat /opt/webmin/tmp.p |
> > mailx -s "Your new password for \`hostname\`"
> > my_email_addr\@company.com >/dev/null 2>&1");
> > }
> >
> > and in "useradmin/hpux-lib.pl:
> >
> > I changed:
> >
> > sub passfiles_type
> > {
> > return 0;
> > }
> >
> > to
> >
> > sub passfiles_type
> > {
> > return 99;
> > }
> >
> >
> >
> > I know it's not much of a mod but at least it lets me go
> > forward with the implementation of the tool in our
> > environment.
> >
> > Let me know if it is ok for now.
>
> That would work, although I would prefer to have Webmin
> write to the config files directly .. I'll do it this way
> when I write the code.
>
> > I will be able to give you information about HP-UX
> > Trusted Mode as I know ins and outs of HP's
> > implementation.
> > I have many "wish list" requests for Webmin in order to
> > be a valid solution corporate wise.
> >
> > Some examples:
> >
> > 1 - Webmin accounts security should have password
> > complexity, expiration date, etc...
>
> Nice idea .. and certainly do-able.
>
> > 2 - Integration with AD in order to control these Webmin
> > accounts from a centralized location (LDAP
> authentication)
>
> Already possible, if you have NSS-LDAP integration setup.
>
> > 3 - The possibility for the Webmin user when he creates
> > a user on a Unix box to enter an email address to send
> > the password to.
>
> Not a bad idea ..
>
> > 4 - Using a Unix account as a template to create another
> > user.
>
> Also a good idea.
>
> > 5 - Reason for a locked account
>
> Where would this be stored though?
>
> > 6 - In the "Change password" module instead of entering
> > a new password, to just reset the account based on the
> > reason why it was locked.
>
> Again, most Unixes don't have a place to store the
> 'original' password .. although HP/UX may differ.
>
> > 7 - Change the expiry date of an account. e.g. a renewed
> > consultant's contract.
>
> This should already be do-able in the Users and Groups
> module.
>
> - Jamie
>
> > These items are all pertaining to HP Trusted Mode.
> >
> > TIA for your time
> >
> >
> > Francis
> >
> >
> > > On 23/Oct/2006 13:47 flq wrote ..
> > > > Hi all,
> > > >
> > > > I am using Webmin, a very useful tool btw, to manage
> > > > users on many Unix platforms.
> > > >
> > > > The hurdle I came across is the fact that Webmin
> > > > does not fully support HP-UX in Trusted Mode.
> > > >
> > > > I would like to know, since I did not find any
> > > > threads on mailing lists regarding that matter, if
> > > > there is an on-going effort to support the Trusted
> > > > Mode.
> > > > I would really like to see it supported as all of
> > > > the HP-UX installs I do are being setup in Trusted
> > > > Mode.
> > > > If need be, I am willing to run with that flag and
> > > > make it happen.
> > > >
> > > > Please let me know if I can be of any help in order
> > > > to resolve this issue.
> > > >
> > > > TIA
> > > >
> > > Hi Francis,
> > >
> > > I am aware of HP/UX's trusted mode, but unfortunately
> > > haven't put any effort into supporting it in Webmin,
> > > as I don't have any HP/UX hardware of my own .. and
> > > it isn't as popular an OS as Linux or Solaris.
> > >
> > > However, I would be glad to accept a patch to the
> > > Users and Groups module to add trusted mode support.
> > > Or if you could give me remote root access to a box
> > > with HP/UX installed, I should be able to update
> > > Webmin to support it.
> > >
> > > - Jamie
> > >
> > >
> > >
> ----------------------------------------------------------
> > > --------------- Using Tomcat but need to do more? Need
> > > to support web services, security? Get stuff done
> quickly with pre-integrated technology to make your job
> > > easier Download IBM WebSphere Application Server
> > > v.1.0.1 based on Apache Geronimo
> > >
> >
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > > -
> > > Forwarded by the Webmin mailing list at
> > > web...@li... To remove yourself
> > > from this list, go to
> > >
> >
> >
> http://lists.sourceforge.net/lists/listinfo/webadmin-list
> ----------------------------------------------------------
> > --------------- Using Tomcat but need to do more? Need
> > to support web services, security? Get stuff done
> > quickly with pre-integrated technology to make your job
> > easier Download IBM WebSphere Application Server v.1.0.1
> > based on Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > -
> > Forwarded by the Webmin mailing list at
> > web...@li... To remove yourself
> > from this list, go to
> http://lists.sourceforge.net/lists/listinfo/webadmin-list
>
> ----------------------------------------------------------
> --------------- Using Tomcat but need to do more? Need to
> support web services, security? Get stuff done quickly
> with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on
> Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> -
> Forwarded by the Webmin mailing list at
> web...@li... To remove yourself
> from this list, go to
> http://lists.sourceforge.net/lists/listinfo/webadmin-list
|
