Menu
▾
▴
Re: [webmin-l] HP-UX Trusted Mode with Webmin
|
From: Jamie C. <jca...@we...> - 2006-10-24 18:59:47
|
On 24/Oct/2006 11:32 flq wrote ..
> Hi jamie,
>
> More info on Trusted Mode in HP-UX
>
> 1 - This is the content of "/tcb/files/auth/system/default"
> which regulates parameters when not modified at user
> creation.
>
> default:\
> :d_name=default:\
> :d_boot_authenticate@:\
> :u_pwd=*:\
> :u_owner=root:u_auditflag#-1:\
>
> :u_minchg#86400:u_maxlen#20:u_exp#10368000:u_life#11059200:\
>
> :u_llogin#7776000:u_pw_expire_warning#432000:u_pswduser=root:u_pickpw:\
> :u_genpwd@:u_restrict:u_nullpw@:u_genchars@:\
>
> :u_genletters@:u_suclog#0:u_unsuclog#0:u_maxtries#5:\
> :u_lock:\
> :t_logdelay#2:t_maxtries#10:t_login_timeout#60:\
> :chkent:
>
> 2 - This is the content of "/tcb/files/auth/t/test" (for a
> test user)
>
> test:u_name=test:u_id#6668:\
> :u_pwd=MY_ENCRYPTED_PASSWORD_GOES_HERE:\
> :u_auditid#22:\
> :u_auditflag#1:\
>
> :u_succhg#1161187967:u_unsucchg#1161187183:u_suclog#1161187976:u_lock@:\
> :chkent:
>
> These data files might be difficult to parse and HP does not
> recommend editing these directly.
>
> Instead, using the "/usr/lbin/modprpw" and
> "/usr/lbin/getprpw" which in turn are not actually
> "officially" supported by HP, will be safer.
>
> The reason for locked account is specified in the user's
> protected password file. e.g. /tcb/files/auth/t/test
>
> Issueing this command "/usr/lbin/getprpw -l test" yields the
> following result:
>
> uid=6668, bootpw=NO, audid=22, audflg=1, mintm=-1,
> maxpwln=-1, exptm=-1, lftm=-1, spwchg=Wed Oct 18 12:12:47
> 2006, upwchg=Wed Oct 18 11:59:43 2006, acctexp=-1, llog=-1,
> expwarn=-1, usrpick=DFT, syspnpw=DFT, rstrpw=DFT,
> nullpw=DFT, admnum=-1, syschpw=DFT, sysltpw=DFT, timeod=-1,
> slogint=Wed Oct 18 12:12:56 2006, ulogint=-1, sloginy=-1,
> culogin=-1, uloginy=-1, umaxlntr=-1, alock=YES,
> lockout=0000010
>
> The last field (lockout=0000010) is a flag and the meaning
> of each bit is explained in "man getprpw"
>
> This command "/usr/lbin/getprpw -m lockout -l test" yields
> this string:
>
> lockout=0000010
>
> /quoting "man getprpw"
>
> returns the reason for a lockout in a "bit" valued
> string, where 0 = condition not present, 1 is
> present. The position, left to right represents:
>
> 1 past password lifetime
> 2 past last login time (inactive account)
> 3 past absolute account lifetime
> 4 exceeded unsuccessful login attempts
> 5 password required and a null password
> 6 admin lock
> 7 password is a *
>
> /end of quoting
>
>
> In order to reset the password, Webmin does not need to
> "know" where the original password is stored and actually
> should not be able to retrieve it. It is a one-way hash.
> If the user has his/her account locked up, too bad, new
> password required. This is according to corporate policies.
>
>
> Using this command: "/usr/lbin/modprpw -x -l test" will
> reset the password of the test user but prints it on stdout.
> In the code I modified, I redirected the stdout to a temp
> file so I can mail it afterward. Also that command will
> force the user to change his/her password at next login...so
> 2 birds with 1 stone.
Thanks for all the info .. It sounds like using the commands
is the best approach.
BTW, how can I detect if HP/UX is in trusted mode or not?
> One other thing, is it possible in the near future to
> cluster different Unix platforms for, lets say, Users and
> Groups module?
>
> I would like to have one centralized server or cluster of
> servers for HelpDesk to connect to and manage users on any
> Unix platform instead of having to login to each flavor.
Not easily - different operating systems store different info
about users. You can cluster Linux and Solaris as they have
the same /etc/passwd and shadow formats, but not FreeBSD as it
uses a master.passwd file with different fields.
- Jamie
> Hope this helps and sorry for the length...
>
>
> TIA
>
>
> Francis Le Quellec
>
>
>
> > On 24/Oct/2006 09:18 flq wrote ..
> > > Hi Jamie,
> > >
> > > thanks for the reply.
> > >
> > > I will have an HP Visualize Workstation running HP-UX
> > > 11i next Monday. With root access thru ssh.
> > >
> > > In the mean time, here is the mods I did in some Perl
> > > script in order to support some functions that I have to
> > > implement.
> > > In "useradmin/userlib.pl"
> > >
> > > I added these lines of code:
> > >
> > > elsif ($pft == 99) {
> > > # Just invoke the useradd command
> > > &system_logged("useradd -u $_[0]->{'uid'} -g
> > > $_[0]->{'gid'} -c "$_[0]->{'real'}" -d $_[0]->{'home
> > > '} -s $_[0]->{'shell'} $_[0]->{'user'}");
> > > # And set the password
> > > &system_logged("/usr/lbin/modprpw -x -l
> > > $_[0]->{'user'} >/opt/webmin/tmp.p 2>&1");
> > > &system_logged("/usr/bin/cat /opt/webmin/tmp.p |
> > > mailx -s "Your new password for \`hostname\`"
> > > my_email_addr\@company.com >/dev/null 2>&1");
> > > }
> > >
> > > and in "useradmin/hpux-lib.pl:
> > >
> > > I changed:
> > >
> > > sub passfiles_type
> > > {
> > > return 0;
> > > }
> > >
> > > to
> > >
> > > sub passfiles_type
> > > {
> > > return 99;
> > > }
> > >
> > >
> > >
> > > I know it's not much of a mod but at least it lets me go
> > > forward with the implementation of the tool in our
> > > environment.
> > >
> > > Let me know if it is ok for now.
> >
> > That would work, although I would prefer to have Webmin
> > write to the config files directly .. I'll do it this way
> > when I write the code.
> >
> > > I will be able to give you information about HP-UX
> > > Trusted Mode as I know ins and outs of HP's
> > > implementation.
> > > I have many "wish list" requests for Webmin in order to
> > > be a valid solution corporate wise.
> > >
> > > Some examples:
> > >
> > > 1 - Webmin accounts security should have password
> > > complexity, expiration date, etc...
> >
> > Nice idea .. and certainly do-able.
> >
> > > 2 - Integration with AD in order to control these Webmin
> > > accounts from a centralized location (LDAP
> > authentication)
> >
> > Already possible, if you have NSS-LDAP integration setup.
> >
> > > 3 - The possibility for the Webmin user when he creates
> > > a user on a Unix box to enter an email address to send
> > > the password to.
> >
> > Not a bad idea ..
> >
> > > 4 - Using a Unix account as a template to create another
> > > user.
> >
> > Also a good idea.
> >
> > > 5 - Reason for a locked account
> >
> > Where would this be stored though?
> >
> > > 6 - In the "Change password" module instead of entering
> > > a new password, to just reset the account based on the
> > > reason why it was locked.
> >
> > Again, most Unixes don't have a place to store the
> > 'original' password .. although HP/UX may differ.
> >
> > > 7 - Change the expiry date of an account. e.g. a renewed
> > > consultant's contract.
> >
> > This should already be do-able in the Users and Groups
> > module.
> >
> > - Jamie
> >
> > > These items are all pertaining to HP Trusted Mode.
> > >
> > > TIA for your time
> > >
> > >
> > > Francis
> > >
> > >
> > > > On 23/Oct/2006 13:47 flq wrote ..
> > > > > Hi all,
> > > > >
> > > > > I am using Webmin, a very useful tool btw, to manage
> > > > > users on many Unix platforms.
> > > > >
> > > > > The hurdle I came across is the fact that Webmin
> > > > > does not fully support HP-UX in Trusted Mode.
> > > > >
> > > > > I would like to know, since I did not find any
> > > > > threads on mailing lists regarding that matter, if
> > > > > there is an on-going effort to support the Trusted
> > > > > Mode.
> > > > > I would really like to see it supported as all of
> > > > > the HP-UX installs I do are being setup in Trusted
> > > > > Mode.
> > > > > If need be, I am willing to run with that flag and
> > > > > make it happen.
> > > > >
> > > > > Please let me know if I can be of any help in order
> > > > > to resolve this issue.
> > > > >
> > > > > TIA
> > > > >
> > > > Hi Francis,
> > > >
> > > > I am aware of HP/UX's trusted mode, but unfortunately
> > > > haven't put any effort into supporting it in Webmin,
> > > > as I don't have any HP/UX hardware of my own .. and
> > > > it isn't as popular an OS as Linux or Solaris.
> > > >
> > > > However, I would be glad to accept a patch to the
> > > > Users and Groups module to add trusted mode support.
> > > > Or if you could give me remote root access to a box
> > > > with HP/UX installed, I should be able to update
> > > > Webmin to support it.
> > > >
> > > > - Jamie
> > > >
> > > >
> > > >
> > ----------------------------------------------------------
> > > > --------------- Using Tomcat but need to do more? Need
> > > > to support web services, security? Get stuff done
> > quickly with pre-integrated technology to make your job
> > > > easier Download IBM WebSphere Application Server
> > > > v.1.0.1 based on Apache Geronimo
> > > >
> > >
> >
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > > > -
> > > > Forwarded by the Webmin mailing list at
> > > > web...@li... To remove yourself
> > > > from this list, go to
> > > >
> > >
> > >
> > http://lists.sourceforge.net/lists/listinfo/webadmin-list
> > ----------------------------------------------------------
> > > --------------- Using Tomcat but need to do more? Need
> > > to support web services, security? Get stuff done
> > > quickly with pre-integrated technology to make your job
> > > easier Download IBM WebSphere Application Server v.1.0.1
> > > based on Apache Geronimo
> >
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > > -
> > > Forwarded by the Webmin mailing list at
> > > web...@li... To remove yourself
> > > from this list, go to
> > http://lists.sourceforge.net/lists/listinfo/webadmin-list
> >
> > ----------------------------------------------------------
> > --------------- Using Tomcat but need to do more? Need to
> > support web services, security? Get stuff done quickly
> > with pre-integrated technology to make your job easier
> > Download IBM WebSphere Application Server v.1.0.1 based on
> > Apache Geronimo
> >
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > -
> > Forwarded by the Webmin mailing list at
> > web...@li... To remove yourself
> > from this list, go to
> > http://lists.sourceforge.net/lists/listinfo/webadmin-list
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> -
> Forwarded by the Webmin mailing list at web...@li...
> To remove yourself from this list, go to
> http://lists.sourceforge.net/lists/listinfo/webadmin-list
|
