Menu
▾
▴
Re: [webmin-l] HP-UX Trusted Mode with Webmin
|
From: flq <fl...@ca...> - 2006-10-24 19:11:32
|
Hi Jamie,
If you issue the command "/usr/lbin/getprpw -l root" and
system is not trusted, it will yield the following string.
System is not trusted.
And for the cluster Users and Groups, may I suggest that the
procedure uses the local module instead. Maybe the local
module has been modified to suit a particular need and
therefore it would make sense to use the local one.
I did not dig the code for the cluster module but when I
have time I will.
TIA
Francis Le Quellec
> On 24/Oct/2006 11:32 flq wrote ..
> > Hi jamie,
> >
> > More info on Trusted Mode in HP-UX
> >
> > 1 - This is the content of
> > "/tcb/files/auth/system/default" which regulates
> > parameters when not modified at user creation.
> >
> > default:\
> > :d_name=default:\
> > :d_boot_authenticate@:\
> > :u_pwd=*:\
> > :u_owner=root:u_auditflag#-1:\
> >
> >
> :u_minchg#86400:u_maxlen#20:u_exp#10368000:u_life#11059200
> > :\
> >
> :u_llogin#7776000:u_pw_expire_warning#432000:u_pswduser=ro
> > ot:u_pickpw:\
> > :u_genpwd@:u_restrict:u_nullpw@:u_genchars@:\
> > :u_genletters@:u_suclog#0:u_unsuclog#0:u_maxtries#5:\
> > :u_lock:\
> > :t_logdelay#2:t_maxtries#10:t_login_timeout#60:\
> > :chkent:
> >
> > 2 - This is the content of "/tcb/files/auth/t/test" (for
> > a test user)
> >
> > test:u_name=test:u_id#6668:\
> > :u_pwd=MY_ENCRYPTED_PASSWORD_GOES_HERE:\
> > :u_auditid#22:\
> > :u_auditflag#1:\
> >
> >
> :u_succhg#1161187967:u_unsucchg#1161187183:u_suclog#116118
> > 7976:u_lock@:\ :chkent:
> >
> > These data files might be difficult to parse and HP does
> > not recommend editing these directly.
> >
> > Instead, using the "/usr/lbin/modprpw" and
> > "/usr/lbin/getprpw" which in turn are not actually
> > "officially" supported by HP, will be safer.
> >
> > The reason for locked account is specified in the user's
> > protected password file. e.g. /tcb/files/auth/t/test
> >
> > Issueing this command "/usr/lbin/getprpw -l test" yields
> > the following result:
> >
> > uid=6668, bootpw=NO, audid=22, audflg=1, mintm=-1,
> > maxpwln=-1, exptm=-1, lftm=-1, spwchg=Wed Oct 18
> > 12:12:47 2006, upwchg=Wed Oct 18 11:59:43 2006,
> > acctexp=-1, llog=-1, expwarn=-1, usrpick=DFT,
> > syspnpw=DFT, rstrpw=DFT, nullpw=DFT, admnum=-1,
> > syschpw=DFT, sysltpw=DFT, timeod=-1, slogint=Wed Oct 18
> > 12:12:56 2006, ulogint=-1, sloginy=-1, culogin=-1,
> > uloginy=-1, umaxlntr=-1, alock=YES, lockout=0000010
> >
> > The last field (lockout=0000010) is a flag and the
> > meaning of each bit is explained in "man getprpw"
> >
> > This command "/usr/lbin/getprpw -m lockout -l test"
> > yields this string:
> >
> > lockout=0000010
> >
> > /quoting "man getprpw"
> >
> > returns the reason for a lockout in a "bit" valued
> > string, where 0 = condition not present, 1 is
> > present. The position, left to right represents:
> >
> > 1 past password lifetime
> > 2 past last login time (inactive account)
> > 3 past absolute account lifetime
> > 4 exceeded unsuccessful login attempts
> > 5 password required and a null password
> > 6 admin lock
> > 7 password is a *
> >
> > /end of quoting
> >
> >
> > In order to reset the password, Webmin does not need to
> > "know" where the original password is stored and
> > actually should not be able to retrieve it. It is a
> > one-way hash. If the user has his/her account locked up
> > , too bad, new password required. This is according to
> > corporate policies.
> >
> > Using this command: "/usr/lbin/modprpw -x -l test" will
> > reset the password of the test user but prints it on
> > stdout. In the code I modified, I redirected the stdout
> > to a temp file so I can mail it afterward. Also that
> > command will force the user to change his/her password
> > at next login...so 2 birds with 1 stone.
>
> Thanks for all the info .. It sounds like using the
> commands is the best approach.
>
> BTW, how can I detect if HP/UX is in trusted mode or not?
>
> > One other thing, is it possible in the near future to
> > cluster different Unix platforms for, lets say, Users
> > and Groups module?
> >
> > I would like to have one centralized server or cluster
> > of servers for HelpDesk to connect to and manage users
> > on any Unix platform instead of having to login to each
> flavor.
>
> Not easily - different operating systems store different
> info about users. You can cluster Linux and Solaris as
> they have the same /etc/passwd and shadow formats, but not
> FreeBSD as it uses a master.passwd file with different
> fields.
>
> - Jamie
>
> > Hope this helps and sorry for the length...
> >
> >
> > TIA
> >
> >
> > Francis Le Quellec
> >
> >
> >
> > > On 24/Oct/2006 09:18 flq wrote ..
> > > > Hi Jamie,
> > > >
> > > > thanks for the reply.
> > > >
> > > > I will have an HP Visualize Workstation running
> > > > HP-UX 11i next Monday. With root access thru ssh.
> > > >
> > > > In the mean time, here is the mods I did in some
> > > > Perl script in order to support some functions that
> > > > I have to implement.
> > > > In "useradmin/userlib.pl"
> > > >
> > > > I added these lines of code:
> > > >
> > > > elsif ($pft == 99) {
> > > > # Just invoke the useradd command
> > > > &system_logged("useradd -u $_[0]->{'uid'} -g
> > > > $_[0]->{'gid'} -c "$_[0]->{'real'}" -d $_[0]->{'home
> > > > '} -s $_[0]->{'shell'} $_[0]->{'user'}");
> > > > # And set the password
> > > > &system_logged("/usr/lbin/modprpw -x -l
> > > > $_[0]->{'user'} >/opt/webmin/tmp.p 2>&1");
> > > > &system_logged("/usr/bin/cat
> > > > /opt/webmin/tmp.p | mailx -s "Your new password for
> > > > \`hostname\`" my_email_addr\@company.com >/dev/null
> > > > 2>&1"); }
> > > >
> > > > and in "useradmin/hpux-lib.pl:
> > > >
> > > > I changed:
> > > >
> > > > sub passfiles_type
> > > > {
> > > > return 0;
> > > > }
> > > >
> > > > to
> > > >
> > > > sub passfiles_type
> > > > {
> > > > return 99;
> > > > }
> > > >
> > > >
> > > >
> > > > I know it's not much of a mod but at least it lets
> > > > me go forward with the implementation of the tool in
> > > > our environment.
> > > >
> > > > Let me know if it is ok for now.
> > >
> > > That would work, although I would prefer to have
> > > Webmin write to the config files directly .. I'll do
> > > it this way when I write the code.
> > >
> > > > I will be able to give you information about HP-UX
> > > > Trusted Mode as I know ins and outs of HP's
> > > > implementation.
> > > > I have many "wish list" requests for Webmin in order
> > > > to be a valid solution corporate wise.
> > > >
> > > > Some examples:
> > > >
> > > > 1 - Webmin accounts security should have password
> > > > complexity, expiration date, etc...
> > >
> > > Nice idea .. and certainly do-able.
> > >
> > > > 2 - Integration with AD in order to control these
> > > > Webmin accounts from a centralized location (LDAP
> > > authentication)
> > >
> > > Already possible, if you have NSS-LDAP integration
> > > setup.
> > > > 3 - The possibility for the Webmin user when he
> > > > creates a user on a Unix box to enter an email
> > > > address to send the password to.
> > >
> > > Not a bad idea ..
> > >
> > > > 4 - Using a Unix account as a template to create
> > > > another user.
> > >
> > > Also a good idea.
> > >
> > > > 5 - Reason for a locked account
> > >
> > > Where would this be stored though?
> > >
> > > > 6 - In the "Change password" module instead of
> > > > entering a new password, to just reset the account
> > > > based on the reason why it was locked.
> > >
> > > Again, most Unixes don't have a place to store the
> > > 'original' password .. although HP/UX may differ.
> > >
> > > > 7 - Change the expiry date of an account. e.g. a
> > > > renewed consultant's contract.
> > >
> > > This should already be do-able in the Users and Groups
> > > module.
> > >
> > > - Jamie
> > >
> > > > These items are all pertaining to HP Trusted Mode.
> > > >
> > > > TIA for your time
> > > >
> > > >
> > > > Francis
> > > >
> > > >
> > > > > On 23/Oct/2006 13:47 flq wrote ..
> > > > > > Hi all,
> > > > > >
> > > > > > I am using Webmin, a very useful tool btw, to
> > > > > > manage users on many Unix platforms.
> > > > > >
> > > > > > The hurdle I came across is the fact that Webmin
> > > > > > does not fully support HP-UX in Trusted Mode.
> > > > > >
> > > > > > I would like to know, since I did not find any
> > > > > > threads on mailing lists regarding that matter,
> > > > > > if there is an on-going effort to support the
> > > > > > Trusted Mode.
> > > > > > I would really like to see it supported as all
> > > > > > of the HP-UX installs I do are being setup in
> > > > > > Trusted Mode.
> > > > > > If need be, I am willing to run with that flag
> > > > > > and make it happen.
> > > > > >
> > > > > > Please let me know if I can be of any help in
> > > > > > order to resolve this issue.
> > > > > >
> > > > > > TIA
> > > > > >
> > > > > Hi Francis,
> > > > >
> > > > > I am aware of HP/UX's trusted mode, but
> > > > > unfortunately haven't put any effort into
> > > > > supporting it in Webmin, as I don't have any HP/UX
> > > > > hardware of my own .. and it isn't as popular an
> > > > > OS as Linux or Solaris.
> > > > > However, I would be glad to accept a patch to the
> > > > > Users and Groups module to add trusted mode
> > > > > support. Or if you could give me remote root
> > > > > access to a box with HP/UX installed, I should be
> > > > > able to update Webmin to support it.
> > > > >
> > > > > - Jamie
----------------------------------------
Upgrade your account today for increased storage; mail
forwarding or POP enabled e-mail with automatic virus
scanning. Visit our member benefits page at
https://members.canada.com/benefits.aspx for more
information.
|
