Menu
▾
▴
webadmin-list
|
From: flq <fl...@ca...> - 2006-10-24 16:18:24
|
Hi Jamie,
thanks for the reply.
I will have an HP Visualize Workstation running HP-UX 11i
next Monday. With root access thru ssh.
In the mean time, here is the mods I did in some Perl script
in order to support some functions that I have to implement.
In "useradmin/userlib.pl"
I added these lines of code:
elsif ($pft == 99) {
# Just invoke the useradd command
&system_logged("useradd -u $_[0]->{'uid'} -g
$_[0]->{'gid'} -c \"$_[0]->{'real'}\" -d $_[0]->{'home
'} -s $_[0]->{'shell'} $_[0]->{'user'}");
# And set the password
&system_logged("/usr/lbin/modprpw -x -l
$_[0]->{'user'} >/opt/webmin/tmp.p 2>&1");
&system_logged("/usr/bin/cat /opt/webmin/tmp.p |
mailx -s \"Your new password for \`hostname\`\"
my_email_addr\@company.com >/dev/null 2>&1");
}
and in "useradmin/hpux-lib.pl:
I changed:
sub passfiles_type
{
return 0;
}
to
sub passfiles_type
{
return 99;
}
I know it's not much of a mod but at least it lets me go
forward with the implementation of the tool in our
environment.
Let me know if it is ok for now.
I will be able to give you information about HP-UX Trusted
Mode as I know ins and outs of HP's implementation.
I have many "wish list" requests for Webmin in order to be a
valid solution corporate wise.
Some examples:
1 - Webmin accounts security should have password
complexity, expiration date, etc...
2 - Integration with AD in order to control these Webmin
accounts from a centralized location (LDAP authentication)
3 - The possibility for the Webmin user when he creates a
user on a Unix box to enter an email address to send the
password to.
4 - Using a Unix account as a template to create another
user.
5 - Reason for a locked account
6 - In the "Change password" module instead of entering a
new password, to just reset the account based on the reason
why it was locked.
7 - Change the expiry date of an account. e.g. a renewed
consultant's contract.
These items are all pertaining to HP Trusted Mode.
TIA for your time
Francis
> On 23/Oct/2006 13:47 flq wrote ..
> > Hi all,
> >
> > I am using Webmin, a very useful tool btw, to manage
> > users on many Unix platforms.
> >
> > The hurdle I came across is the fact that Webmin does
> > not fully support HP-UX in Trusted Mode.
> >
> > I would like to know, since I did not find any threads
> > on mailing lists regarding that matter, if there is an
> > on-going effort to support the Trusted Mode.
> >
> > I would really like to see it supported as all of the
> > HP-UX installs I do are being setup in Trusted Mode.
> >
> > If need be, I am willing to run with that flag and make
> > it happen.
> >
> > Please let me know if I can be of any help in order to
> > resolve this issue.
> >
> > TIA
> >
> Hi Francis,
>
> I am aware of HP/UX's trusted mode, but unfortunately
> haven't put any effort into supporting it in Webmin, as I
> don't have any HP/UX hardware of my own .. and it isn't
> as popular an OS as Linux or Solaris.
>
> However, I would be glad to accept a patch to the Users
> and Groups module to add trusted mode support. Or if you
> could give me remote root access to a box with HP/UX
> installed, I should be able to update Webmin to support
> it.
>
> - Jamie
>
> ----------------------------------------------------------
> --------------- Using Tomcat but need to do more? Need to
> support web services, security? Get stuff done quickly
> with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on
> Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> -
> Forwarded by the Webmin mailing list at
> web...@li... To remove yourself
> from this list, go to
> http://lists.sourceforge.net/lists/listinfo/webadmin-list
|
|
From: flq <fl...@ca...> - 2006-10-24 18:32:55
|
Hi jamie,
More info on Trusted Mode in HP-UX
1 - This is the content of "/tcb/files/auth/system/default"
which regulates parameters when not modified at user
creation.
default:\
:d_name=default:\
:d_boot_authenticate@:\
:u_pwd=*:\
:u_owner=root:u_auditflag#-1:\
:u_minchg#86400:u_maxlen#20:u_exp#10368000:u_life#11059200:\
:u_llogin#7776000:u_pw_expire_warning#432000:u_pswduser=root:u_pickpw:\
:u_genpwd@:u_restrict:u_nullpw@:u_genchars@:\
:u_genletters@:u_suclog#0:u_unsuclog#0:u_maxtries#5:\
:u_lock:\
:t_logdelay#2:t_maxtries#10:t_login_timeout#60:\
:chkent:
2 - This is the content of "/tcb/files/auth/t/test" (for a
test user)
test:u_name=test:u_id#6668:\
:u_pwd=MY_ENCRYPTED_PASSWORD_GOES_HERE:\
:u_auditid#22:\
:u_auditflag#1:\
:u_succhg#1161187967:u_unsucchg#1161187183:u_suclog#1161187976:u_lock@:\
:chkent:
These data files might be difficult to parse and HP does not
recommend editing these directly.
Instead, using the "/usr/lbin/modprpw" and
"/usr/lbin/getprpw" which in turn are not actually
"officially" supported by HP, will be safer.
The reason for locked account is specified in the user's
protected password file. e.g. /tcb/files/auth/t/test
Issueing this command "/usr/lbin/getprpw -l test" yields the
following result:
uid=6668, bootpw=NO, audid=22, audflg=1, mintm=-1,
maxpwln=-1, exptm=-1, lftm=-1, spwchg=Wed Oct 18 12:12:47
2006, upwchg=Wed Oct 18 11:59:43 2006, acctexp=-1, llog=-1,
expwarn=-1, usrpick=DFT, syspnpw=DFT, rstrpw=DFT,
nullpw=DFT, admnum=-1, syschpw=DFT, sysltpw=DFT, timeod=-1,
slogint=Wed Oct 18 12:12:56 2006, ulogint=-1, sloginy=-1,
culogin=-1, uloginy=-1, umaxlntr=-1, alock=YES,
lockout=0000010
The last field (lockout=0000010) is a flag and the meaning
of each bit is explained in "man getprpw"
This command "/usr/lbin/getprpw -m lockout -l test" yields
this string:
lockout=0000010
/quoting "man getprpw"
returns the reason for a lockout in a "bit" valued
string, where 0 = condition not present, 1 is
present. The position, left to right represents:
1 past password lifetime
2 past last login time (inactive account)
3 past absolute account lifetime
4 exceeded unsuccessful login attempts
5 password required and a null password
6 admin lock
7 password is a *
/end of quoting
In order to reset the password, Webmin does not need to
"know" where the original password is stored and actually
should not be able to retrieve it. It is a one-way hash.
If the user has his/her account locked up, too bad, new
password required. This is according to corporate policies.
Using this command: "/usr/lbin/modprpw -x -l test" will
reset the password of the test user but prints it on stdout.
In the code I modified, I redirected the stdout to a temp
file so I can mail it afterward. Also that command will
force the user to change his/her password at next login...so
2 birds with 1 stone.
One other thing, is it possible in the near future to
cluster different Unix platforms for, lets say, Users and
Groups module?
I would like to have one centralized server or cluster of
servers for HelpDesk to connect to and manage users on any
Unix platform instead of having to login to each flavor.
Hope this helps and sorry for the length...
TIA
Francis Le Quellec
> On 24/Oct/2006 09:18 flq wrote ..
> > Hi Jamie,
> >
> > thanks for the reply.
> >
> > I will have an HP Visualize Workstation running HP-UX
> > 11i next Monday. With root access thru ssh.
> >
> > In the mean time, here is the mods I did in some Perl
> > script in order to support some functions that I have to
> > implement.
> > In "useradmin/userlib.pl"
> >
> > I added these lines of code:
> >
> > elsif ($pft == 99) {
> > # Just invoke the useradd command
> > &system_logged("useradd -u $_[0]->{'uid'} -g
> > $_[0]->{'gid'} -c "$_[0]->{'real'}" -d $_[0]->{'home
> > '} -s $_[0]->{'shell'} $_[0]->{'user'}");
> > # And set the password
> > &system_logged("/usr/lbin/modprpw -x -l
> > $_[0]->{'user'} >/opt/webmin/tmp.p 2>&1");
> > &system_logged("/usr/bin/cat /opt/webmin/tmp.p |
> > mailx -s "Your new password for \`hostname\`"
> > my_email_addr\@company.com >/dev/null 2>&1");
> > }
> >
> > and in "useradmin/hpux-lib.pl:
> >
> > I changed:
> >
> > sub passfiles_type
> > {
> > return 0;
> > }
> >
> > to
> >
> > sub passfiles_type
> > {
> > return 99;
> > }
> >
> >
> >
> > I know it's not much of a mod but at least it lets me go
> > forward with the implementation of the tool in our
> > environment.
> >
> > Let me know if it is ok for now.
>
> That would work, although I would prefer to have Webmin
> write to the config files directly .. I'll do it this way
> when I write the code.
>
> > I will be able to give you information about HP-UX
> > Trusted Mode as I know ins and outs of HP's
> > implementation.
> > I have many "wish list" requests for Webmin in order to
> > be a valid solution corporate wise.
> >
> > Some examples:
> >
> > 1 - Webmin accounts security should have password
> > complexity, expiration date, etc...
>
> Nice idea .. and certainly do-able.
>
> > 2 - Integration with AD in order to control these Webmin
> > accounts from a centralized location (LDAP
> authentication)
>
> Already possible, if you have NSS-LDAP integration setup.
>
> > 3 - The possibility for the Webmin user when he creates
> > a user on a Unix box to enter an email address to send
> > the password to.
>
> Not a bad idea ..
>
> > 4 - Using a Unix account as a template to create another
> > user.
>
> Also a good idea.
>
> > 5 - Reason for a locked account
>
> Where would this be stored though?
>
> > 6 - In the "Change password" module instead of entering
> > a new password, to just reset the account based on the
> > reason why it was locked.
>
> Again, most Unixes don't have a place to store the
> 'original' password .. although HP/UX may differ.
>
> > 7 - Change the expiry date of an account. e.g. a renewed
> > consultant's contract.
>
> This should already be do-able in the Users and Groups
> module.
>
> - Jamie
>
> > These items are all pertaining to HP Trusted Mode.
> >
> > TIA for your time
> >
> >
> > Francis
> >
> >
> > > On 23/Oct/2006 13:47 flq wrote ..
> > > > Hi all,
> > > >
> > > > I am using Webmin, a very useful tool btw, to manage
> > > > users on many Unix platforms.
> > > >
> > > > The hurdle I came across is the fact that Webmin
> > > > does not fully support HP-UX in Trusted Mode.
> > > >
> > > > I would like to know, since I did not find any
> > > > threads on mailing lists regarding that matter, if
> > > > there is an on-going effort to support the Trusted
> > > > Mode.
> > > > I would really like to see it supported as all of
> > > > the HP-UX installs I do are being setup in Trusted
> > > > Mode.
> > > > If need be, I am willing to run with that flag and
> > > > make it happen.
> > > >
> > > > Please let me know if I can be of any help in order
> > > > to resolve this issue.
> > > >
> > > > TIA
> > > >
> > > Hi Francis,
> > >
> > > I am aware of HP/UX's trusted mode, but unfortunately
> > > haven't put any effort into supporting it in Webmin,
> > > as I don't have any HP/UX hardware of my own .. and
> > > it isn't as popular an OS as Linux or Solaris.
> > >
> > > However, I would be glad to accept a patch to the
> > > Users and Groups module to add trusted mode support.
> > > Or if you could give me remote root access to a box
> > > with HP/UX installed, I should be able to update
> > > Webmin to support it.
> > >
> > > - Jamie
> > >
> > >
> > >
> ----------------------------------------------------------
> > > --------------- Using Tomcat but need to do more? Need
> > > to support web services, security? Get stuff done
> quickly with pre-integrated technology to make your job
> > > easier Download IBM WebSphere Application Server
> > > v.1.0.1 based on Apache Geronimo
> > >
> >
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > > -
> > > Forwarded by the Webmin mailing list at
> > > web...@li... To remove yourself
> > > from this list, go to
> > >
> >
> >
> http://lists.sourceforge.net/lists/listinfo/webadmin-list
> ----------------------------------------------------------
> > --------------- Using Tomcat but need to do more? Need
> > to support web services, security? Get stuff done
> > quickly with pre-integrated technology to make your job
> > easier Download IBM WebSphere Application Server v.1.0.1
> > based on Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > -
> > Forwarded by the Webmin mailing list at
> > web...@li... To remove yourself
> > from this list, go to
> http://lists.sourceforge.net/lists/listinfo/webadmin-list
>
> ----------------------------------------------------------
> --------------- Using Tomcat but need to do more? Need to
> support web services, security? Get stuff done quickly
> with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on
> Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> -
> Forwarded by the Webmin mailing list at
> web...@li... To remove yourself
> from this list, go to
> http://lists.sourceforge.net/lists/listinfo/webadmin-list
|
|
From: Jamie C. <jca...@we...> - 2006-10-24 18:59:47
|
On 24/Oct/2006 11:32 flq wrote ..
> Hi jamie,
>
> More info on Trusted Mode in HP-UX
>
> 1 - This is the content of "/tcb/files/auth/system/default"
> which regulates parameters when not modified at user
> creation.
>
> default:\
> :d_name=default:\
> :d_boot_authenticate@:\
> :u_pwd=*:\
> :u_owner=root:u_auditflag#-1:\
>
> :u_minchg#86400:u_maxlen#20:u_exp#10368000:u_life#11059200:\
>
> :u_llogin#7776000:u_pw_expire_warning#432000:u_pswduser=root:u_pickpw:\
> :u_genpwd@:u_restrict:u_nullpw@:u_genchars@:\
>
> :u_genletters@:u_suclog#0:u_unsuclog#0:u_maxtries#5:\
> :u_lock:\
> :t_logdelay#2:t_maxtries#10:t_login_timeout#60:\
> :chkent:
>
> 2 - This is the content of "/tcb/files/auth/t/test" (for a
> test user)
>
> test:u_name=test:u_id#6668:\
> :u_pwd=MY_ENCRYPTED_PASSWORD_GOES_HERE:\
> :u_auditid#22:\
> :u_auditflag#1:\
>
> :u_succhg#1161187967:u_unsucchg#1161187183:u_suclog#1161187976:u_lock@:\
> :chkent:
>
> These data files might be difficult to parse and HP does not
> recommend editing these directly.
>
> Instead, using the "/usr/lbin/modprpw" and
> "/usr/lbin/getprpw" which in turn are not actually
> "officially" supported by HP, will be safer.
>
> The reason for locked account is specified in the user's
> protected password file. e.g. /tcb/files/auth/t/test
>
> Issueing this command "/usr/lbin/getprpw -l test" yields the
> following result:
>
> uid=6668, bootpw=NO, audid=22, audflg=1, mintm=-1,
> maxpwln=-1, exptm=-1, lftm=-1, spwchg=Wed Oct 18 12:12:47
> 2006, upwchg=Wed Oct 18 11:59:43 2006, acctexp=-1, llog=-1,
> expwarn=-1, usrpick=DFT, syspnpw=DFT, rstrpw=DFT,
> nullpw=DFT, admnum=-1, syschpw=DFT, sysltpw=DFT, timeod=-1,
> slogint=Wed Oct 18 12:12:56 2006, ulogint=-1, sloginy=-1,
> culogin=-1, uloginy=-1, umaxlntr=-1, alock=YES,
> lockout=0000010
>
> The last field (lockout=0000010) is a flag and the meaning
> of each bit is explained in "man getprpw"
>
> This command "/usr/lbin/getprpw -m lockout -l test" yields
> this string:
>
> lockout=0000010
>
> /quoting "man getprpw"
>
> returns the reason for a lockout in a "bit" valued
> string, where 0 = condition not present, 1 is
> present. The position, left to right represents:
>
> 1 past password lifetime
> 2 past last login time (inactive account)
> 3 past absolute account lifetime
> 4 exceeded unsuccessful login attempts
> 5 password required and a null password
> 6 admin lock
> 7 password is a *
>
> /end of quoting
>
>
> In order to reset the password, Webmin does not need to
> "know" where the original password is stored and actually
> should not be able to retrieve it. It is a one-way hash.
> If the user has his/her account locked up, too bad, new
> password required. This is according to corporate policies.
>
>
> Using this command: "/usr/lbin/modprpw -x -l test" will
> reset the password of the test user but prints it on stdout.
> In the code I modified, I redirected the stdout to a temp
> file so I can mail it afterward. Also that command will
> force the user to change his/her password at next login...so
> 2 birds with 1 stone.
Thanks for all the info .. It sounds like using the commands
is the best approach.
BTW, how can I detect if HP/UX is in trusted mode or not?
> One other thing, is it possible in the near future to
> cluster different Unix platforms for, lets say, Users and
> Groups module?
>
> I would like to have one centralized server or cluster of
> servers for HelpDesk to connect to and manage users on any
> Unix platform instead of having to login to each flavor.
Not easily - different operating systems store different info
about users. You can cluster Linux and Solaris as they have
the same /etc/passwd and shadow formats, but not FreeBSD as it
uses a master.passwd file with different fields.
- Jamie
> Hope this helps and sorry for the length...
>
>
> TIA
>
>
> Francis Le Quellec
>
>
>
> > On 24/Oct/2006 09:18 flq wrote ..
> > > Hi Jamie,
> > >
> > > thanks for the reply.
> > >
> > > I will have an HP Visualize Workstation running HP-UX
> > > 11i next Monday. With root access thru ssh.
> > >
> > > In the mean time, here is the mods I did in some Perl
> > > script in order to support some functions that I have to
> > > implement.
> > > In "useradmin/userlib.pl"
> > >
> > > I added these lines of code:
> > >
> > > elsif ($pft == 99) {
> > > # Just invoke the useradd command
> > > &system_logged("useradd -u $_[0]->{'uid'} -g
> > > $_[0]->{'gid'} -c "$_[0]->{'real'}" -d $_[0]->{'home
> > > '} -s $_[0]->{'shell'} $_[0]->{'user'}");
> > > # And set the password
> > > &system_logged("/usr/lbin/modprpw -x -l
> > > $_[0]->{'user'} >/opt/webmin/tmp.p 2>&1");
> > > &system_logged("/usr/bin/cat /opt/webmin/tmp.p |
> > > mailx -s "Your new password for \`hostname\`"
> > > my_email_addr\@company.com >/dev/null 2>&1");
> > > }
> > >
> > > and in "useradmin/hpux-lib.pl:
> > >
> > > I changed:
> > >
> > > sub passfiles_type
> > > {
> > > return 0;
> > > }
> > >
> > > to
> > >
> > > sub passfiles_type
> > > {
> > > return 99;
> > > }
> > >
> > >
> > >
> > > I know it's not much of a mod but at least it lets me go
> > > forward with the implementation of the tool in our
> > > environment.
> > >
> > > Let me know if it is ok for now.
> >
> > That would work, although I would prefer to have Webmin
> > write to the config files directly .. I'll do it this way
> > when I write the code.
> >
> > > I will be able to give you information about HP-UX
> > > Trusted Mode as I know ins and outs of HP's
> > > implementation.
> > > I have many "wish list" requests for Webmin in order to
> > > be a valid solution corporate wise.
> > >
> > > Some examples:
> > >
> > > 1 - Webmin accounts security should have password
> > > complexity, expiration date, etc...
> >
> > Nice idea .. and certainly do-able.
> >
> > > 2 - Integration with AD in order to control these Webmin
> > > accounts from a centralized location (LDAP
> > authentication)
> >
> > Already possible, if you have NSS-LDAP integration setup.
> >
> > > 3 - The possibility for the Webmin user when he creates
> > > a user on a Unix box to enter an email address to send
> > > the password to.
> >
> > Not a bad idea ..
> >
> > > 4 - Using a Unix account as a template to create another
> > > user.
> >
> > Also a good idea.
> >
> > > 5 - Reason for a locked account
> >
> > Where would this be stored though?
> >
> > > 6 - In the "Change password" module instead of entering
> > > a new password, to just reset the account based on the
> > > reason why it was locked.
> >
> > Again, most Unixes don't have a place to store the
> > 'original' password .. although HP/UX may differ.
> >
> > > 7 - Change the expiry date of an account. e.g. a renewed
> > > consultant's contract.
> >
> > This should already be do-able in the Users and Groups
> > module.
> >
> > - Jamie
> >
> > > These items are all pertaining to HP Trusted Mode.
> > >
> > > TIA for your time
> > >
> > >
> > > Francis
> > >
> > >
> > > > On 23/Oct/2006 13:47 flq wrote ..
> > > > > Hi all,
> > > > >
> > > > > I am using Webmin, a very useful tool btw, to manage
> > > > > users on many Unix platforms.
> > > > >
> > > > > The hurdle I came across is the fact that Webmin
> > > > > does not fully support HP-UX in Trusted Mode.
> > > > >
> > > > > I would like to know, since I did not find any
> > > > > threads on mailing lists regarding that matter, if
> > > > > there is an on-going effort to support the Trusted
> > > > > Mode.
> > > > > I would really like to see it supported as all of
> > > > > the HP-UX installs I do are being setup in Trusted
> > > > > Mode.
> > > > > If need be, I am willing to run with that flag and
> > > > > make it happen.
> > > > >
> > > > > Please let me know if I can be of any help in order
> > > > > to resolve this issue.
> > > > >
> > > > > TIA
> > > > >
> > > > Hi Francis,
> > > >
> > > > I am aware of HP/UX's trusted mode, but unfortunately
> > > > haven't put any effort into supporting it in Webmin,
> > > > as I don't have any HP/UX hardware of my own .. and
> > > > it isn't as popular an OS as Linux or Solaris.
> > > >
> > > > However, I would be glad to accept a patch to the
> > > > Users and Groups module to add trusted mode support.
> > > > Or if you could give me remote root access to a box
> > > > with HP/UX installed, I should be able to update
> > > > Webmin to support it.
> > > >
> > > > - Jamie
> > > >
> > > >
> > > >
> > ----------------------------------------------------------
> > > > --------------- Using Tomcat but need to do more? Need
> > > > to support web services, security? Get stuff done
> > quickly with pre-integrated technology to make your job
> > > > easier Download IBM WebSphere Application Server
> > > > v.1.0.1 based on Apache Geronimo
> > > >
> > >
> >
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > > > -
> > > > Forwarded by the Webmin mailing list at
> > > > web...@li... To remove yourself
> > > > from this list, go to
> > > >
> > >
> > >
> > http://lists.sourceforge.net/lists/listinfo/webadmin-list
> > ----------------------------------------------------------
> > > --------------- Using Tomcat but need to do more? Need
> > > to support web services, security? Get stuff done
> > > quickly with pre-integrated technology to make your job
> > > easier Download IBM WebSphere Application Server v.1.0.1
> > > based on Apache Geronimo
> >
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > > -
> > > Forwarded by the Webmin mailing list at
> > > web...@li... To remove yourself
> > > from this list, go to
> > http://lists.sourceforge.net/lists/listinfo/webadmin-list
> >
> > ----------------------------------------------------------
> > --------------- Using Tomcat but need to do more? Need to
> > support web services, security? Get stuff done quickly
> > with pre-integrated technology to make your job easier
> > Download IBM WebSphere Application Server v.1.0.1 based on
> > Apache Geronimo
> >
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > -
> > Forwarded by the Webmin mailing list at
> > web...@li... To remove yourself
> > from this list, go to
> > http://lists.sourceforge.net/lists/listinfo/webadmin-list
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> -
> Forwarded by the Webmin mailing list at web...@li...
> To remove yourself from this list, go to
> http://lists.sourceforge.net/lists/listinfo/webadmin-list
|
|
From: flq <fl...@ca...> - 2006-10-24 19:11:32
|
Hi Jamie,
If you issue the command "/usr/lbin/getprpw -l root" and
system is not trusted, it will yield the following string.
System is not trusted.
And for the cluster Users and Groups, may I suggest that the
procedure uses the local module instead. Maybe the local
module has been modified to suit a particular need and
therefore it would make sense to use the local one.
I did not dig the code for the cluster module but when I
have time I will.
TIA
Francis Le Quellec
> On 24/Oct/2006 11:32 flq wrote ..
> > Hi jamie,
> >
> > More info on Trusted Mode in HP-UX
> >
> > 1 - This is the content of
> > "/tcb/files/auth/system/default" which regulates
> > parameters when not modified at user creation.
> >
> > default:\
> > :d_name=default:\
> > :d_boot_authenticate@:\
> > :u_pwd=*:\
> > :u_owner=root:u_auditflag#-1:\
> >
> >
> :u_minchg#86400:u_maxlen#20:u_exp#10368000:u_life#11059200
> > :\
> >
> :u_llogin#7776000:u_pw_expire_warning#432000:u_pswduser=ro
> > ot:u_pickpw:\
> > :u_genpwd@:u_restrict:u_nullpw@:u_genchars@:\
> > :u_genletters@:u_suclog#0:u_unsuclog#0:u_maxtries#5:\
> > :u_lock:\
> > :t_logdelay#2:t_maxtries#10:t_login_timeout#60:\
> > :chkent:
> >
> > 2 - This is the content of "/tcb/files/auth/t/test" (for
> > a test user)
> >
> > test:u_name=test:u_id#6668:\
> > :u_pwd=MY_ENCRYPTED_PASSWORD_GOES_HERE:\
> > :u_auditid#22:\
> > :u_auditflag#1:\
> >
> >
> :u_succhg#1161187967:u_unsucchg#1161187183:u_suclog#116118
> > 7976:u_lock@:\ :chkent:
> >
> > These data files might be difficult to parse and HP does
> > not recommend editing these directly.
> >
> > Instead, using the "/usr/lbin/modprpw" and
> > "/usr/lbin/getprpw" which in turn are not actually
> > "officially" supported by HP, will be safer.
> >
> > The reason for locked account is specified in the user's
> > protected password file. e.g. /tcb/files/auth/t/test
> >
> > Issueing this command "/usr/lbin/getprpw -l test" yields
> > the following result:
> >
> > uid=6668, bootpw=NO, audid=22, audflg=1, mintm=-1,
> > maxpwln=-1, exptm=-1, lftm=-1, spwchg=Wed Oct 18
> > 12:12:47 2006, upwchg=Wed Oct 18 11:59:43 2006,
> > acctexp=-1, llog=-1, expwarn=-1, usrpick=DFT,
> > syspnpw=DFT, rstrpw=DFT, nullpw=DFT, admnum=-1,
> > syschpw=DFT, sysltpw=DFT, timeod=-1, slogint=Wed Oct 18
> > 12:12:56 2006, ulogint=-1, sloginy=-1, culogin=-1,
> > uloginy=-1, umaxlntr=-1, alock=YES, lockout=0000010
> >
> > The last field (lockout=0000010) is a flag and the
> > meaning of each bit is explained in "man getprpw"
> >
> > This command "/usr/lbin/getprpw -m lockout -l test"
> > yields this string:
> >
> > lockout=0000010
> >
> > /quoting "man getprpw"
> >
> > returns the reason for a lockout in a "bit" valued
> > string, where 0 = condition not present, 1 is
> > present. The position, left to right represents:
> >
> > 1 past password lifetime
> > 2 past last login time (inactive account)
> > 3 past absolute account lifetime
> > 4 exceeded unsuccessful login attempts
> > 5 password required and a null password
> > 6 admin lock
> > 7 password is a *
> >
> > /end of quoting
> >
> >
> > In order to reset the password, Webmin does not need to
> > "know" where the original password is stored and
> > actually should not be able to retrieve it. It is a
> > one-way hash. If the user has his/her account locked up
> > , too bad, new password required. This is according to
> > corporate policies.
> >
> > Using this command: "/usr/lbin/modprpw -x -l test" will
> > reset the password of the test user but prints it on
> > stdout. In the code I modified, I redirected the stdout
> > to a temp file so I can mail it afterward. Also that
> > command will force the user to change his/her password
> > at next login...so 2 birds with 1 stone.
>
> Thanks for all the info .. It sounds like using the
> commands is the best approach.
>
> BTW, how can I detect if HP/UX is in trusted mode or not?
>
> > One other thing, is it possible in the near future to
> > cluster different Unix platforms for, lets say, Users
> > and Groups module?
> >
> > I would like to have one centralized server or cluster
> > of servers for HelpDesk to connect to and manage users
> > on any Unix platform instead of having to login to each
> flavor.
>
> Not easily - different operating systems store different
> info about users. You can cluster Linux and Solaris as
> they have the same /etc/passwd and shadow formats, but not
> FreeBSD as it uses a master.passwd file with different
> fields.
>
> - Jamie
>
> > Hope this helps and sorry for the length...
> >
> >
> > TIA
> >
> >
> > Francis Le Quellec
> >
> >
> >
> > > On 24/Oct/2006 09:18 flq wrote ..
> > > > Hi Jamie,
> > > >
> > > > thanks for the reply.
> > > >
> > > > I will have an HP Visualize Workstation running
> > > > HP-UX 11i next Monday. With root access thru ssh.
> > > >
> > > > In the mean time, here is the mods I did in some
> > > > Perl script in order to support some functions that
> > > > I have to implement.
> > > > In "useradmin/userlib.pl"
> > > >
> > > > I added these lines of code:
> > > >
> > > > elsif ($pft == 99) {
> > > > # Just invoke the useradd command
> > > > &system_logged("useradd -u $_[0]->{'uid'} -g
> > > > $_[0]->{'gid'} -c "$_[0]->{'real'}" -d $_[0]->{'home
> > > > '} -s $_[0]->{'shell'} $_[0]->{'user'}");
> > > > # And set the password
> > > > &system_logged("/usr/lbin/modprpw -x -l
> > > > $_[0]->{'user'} >/opt/webmin/tmp.p 2>&1");
> > > > &system_logged("/usr/bin/cat
> > > > /opt/webmin/tmp.p | mailx -s "Your new password for
> > > > \`hostname\`" my_email_addr\@company.com >/dev/null
> > > > 2>&1"); }
> > > >
> > > > and in "useradmin/hpux-lib.pl:
> > > >
> > > > I changed:
> > > >
> > > > sub passfiles_type
> > > > {
> > > > return 0;
> > > > }
> > > >
> > > > to
> > > >
> > > > sub passfiles_type
> > > > {
> > > > return 99;
> > > > }
> > > >
> > > >
> > > >
> > > > I know it's not much of a mod but at least it lets
> > > > me go forward with the implementation of the tool in
> > > > our environment.
> > > >
> > > > Let me know if it is ok for now.
> > >
> > > That would work, although I would prefer to have
> > > Webmin write to the config files directly .. I'll do
> > > it this way when I write the code.
> > >
> > > > I will be able to give you information about HP-UX
> > > > Trusted Mode as I know ins and outs of HP's
> > > > implementation.
> > > > I have many "wish list" requests for Webmin in order
> > > > to be a valid solution corporate wise.
> > > >
> > > > Some examples:
> > > >
> > > > 1 - Webmin accounts security should have password
> > > > complexity, expiration date, etc...
> > >
> > > Nice idea .. and certainly do-able.
> > >
> > > > 2 - Integration with AD in order to control these
> > > > Webmin accounts from a centralized location (LDAP
> > > authentication)
> > >
> > > Already possible, if you have NSS-LDAP integration
> > > setup.
> > > > 3 - The possibility for the Webmin user when he
> > > > creates a user on a Unix box to enter an email
> > > > address to send the password to.
> > >
> > > Not a bad idea ..
> > >
> > > > 4 - Using a Unix account as a template to create
> > > > another user.
> > >
> > > Also a good idea.
> > >
> > > > 5 - Reason for a locked account
> > >
> > > Where would this be stored though?
> > >
> > > > 6 - In the "Change password" module instead of
> > > > entering a new password, to just reset the account
> > > > based on the reason why it was locked.
> > >
> > > Again, most Unixes don't have a place to store the
> > > 'original' password .. although HP/UX may differ.
> > >
> > > > 7 - Change the expiry date of an account. e.g. a
> > > > renewed consultant's contract.
> > >
> > > This should already be do-able in the Users and Groups
> > > module.
> > >
> > > - Jamie
> > >
> > > > These items are all pertaining to HP Trusted Mode.
> > > >
> > > > TIA for your time
> > > >
> > > >
> > > > Francis
> > > >
> > > >
> > > > > On 23/Oct/2006 13:47 flq wrote ..
> > > > > > Hi all,
> > > > > >
> > > > > > I am using Webmin, a very useful tool btw, to
> > > > > > manage users on many Unix platforms.
> > > > > >
> > > > > > The hurdle I came across is the fact that Webmin
> > > > > > does not fully support HP-UX in Trusted Mode.
> > > > > >
> > > > > > I would like to know, since I did not find any
> > > > > > threads on mailing lists regarding that matter,
> > > > > > if there is an on-going effort to support the
> > > > > > Trusted Mode.
> > > > > > I would really like to see it supported as all
> > > > > > of the HP-UX installs I do are being setup in
> > > > > > Trusted Mode.
> > > > > > If need be, I am willing to run with that flag
> > > > > > and make it happen.
> > > > > >
> > > > > > Please let me know if I can be of any help in
> > > > > > order to resolve this issue.
> > > > > >
> > > > > > TIA
> > > > > >
> > > > > Hi Francis,
> > > > >
> > > > > I am aware of HP/UX's trusted mode, but
> > > > > unfortunately haven't put any effort into
> > > > > supporting it in Webmin, as I don't have any HP/UX
> > > > > hardware of my own .. and it isn't as popular an
> > > > > OS as Linux or Solaris.
> > > > > However, I would be glad to accept a patch to the
> > > > > Users and Groups module to add trusted mode
> > > > > support. Or if you could give me remote root
> > > > > access to a box with HP/UX installed, I should be
> > > > > able to update Webmin to support it.
> > > > >
> > > > > - Jamie
----------------------------------------
Upgrade your account today for increased storage; mail
forwarding or POP enabled e-mail with automatic virus
scanning. Visit our member benefits page at
https://members.canada.com/benefits.aspx for more
information.
|
|
From: Jamie C. <jca...@we...> - 2006-10-24 17:13:31
|
On 24/Oct/2006 09:18 flq wrote ..
> Hi Jamie,
>
> thanks for the reply.
>
> I will have an HP Visualize Workstation running HP-UX 11i
> next Monday. With root access thru ssh.
>
> In the mean time, here is the mods I did in some Perl script
> in order to support some functions that I have to implement.
>
> In "useradmin/userlib.pl"
>
> I added these lines of code:
>
> elsif ($pft == 99) {
> # Just invoke the useradd command
> &system_logged("useradd -u $_[0]->{'uid'} -g
> $_[0]->{'gid'} -c \"$_[0]->{'real'}\" -d $_[0]->{'home
> '} -s $_[0]->{'shell'} $_[0]->{'user'}");
> # And set the password
> &system_logged("/usr/lbin/modprpw -x -l
> $_[0]->{'user'} >/opt/webmin/tmp.p 2>&1");
> &system_logged("/usr/bin/cat /opt/webmin/tmp.p |
> mailx -s \"Your new password for \`hostname\`\"
> my_email_addr\@company.com >/dev/null 2>&1");
> }
>
> and in "useradmin/hpux-lib.pl:
>
> I changed:
>
> sub passfiles_type
> {
> return 0;
> }
>
> to
>
> sub passfiles_type
> {
> return 99;
> }
>
>
>
> I know it's not much of a mod but at least it lets me go
> forward with the implementation of the tool in our
> environment.
>
> Let me know if it is ok for now.
That would work, although I would prefer to have Webmin write
to the config files directly .. I'll do it this way when I
write the code.
> I will be able to give you information about HP-UX Trusted
> Mode as I know ins and outs of HP's implementation.
>
> I have many "wish list" requests for Webmin in order to be a
> valid solution corporate wise.
>
> Some examples:
>
> 1 - Webmin accounts security should have password
> complexity, expiration date, etc...
Nice idea .. and certainly do-able.
> 2 - Integration with AD in order to control these Webmin
> accounts from a centralized location (LDAP authentication)
Already possible, if you have NSS-LDAP integration setup.
> 3 - The possibility for the Webmin user when he creates a
> user on a Unix box to enter an email address to send the
> password to.
Not a bad idea ..
> 4 - Using a Unix account as a template to create another
> user.
Also a good idea.
> 5 - Reason for a locked account
Where would this be stored though?
> 6 - In the "Change password" module instead of entering a
> new password, to just reset the account based on the reason
> why it was locked.
Again, most Unixes don't have a place to store the 'original'
password .. although HP/UX may differ.
> 7 - Change the expiry date of an account. e.g. a renewed
> consultant's contract.
This should already be do-able in the Users and Groups module.
- Jamie
> These items are all pertaining to HP Trusted Mode.
>
> TIA for your time
>
>
> Francis
>
>
> > On 23/Oct/2006 13:47 flq wrote ..
> > > Hi all,
> > >
> > > I am using Webmin, a very useful tool btw, to manage
> > > users on many Unix platforms.
> > >
> > > The hurdle I came across is the fact that Webmin does
> > > not fully support HP-UX in Trusted Mode.
> > >
> > > I would like to know, since I did not find any threads
> > > on mailing lists regarding that matter, if there is an
> > > on-going effort to support the Trusted Mode.
> > >
> > > I would really like to see it supported as all of the
> > > HP-UX installs I do are being setup in Trusted Mode.
> > >
> > > If need be, I am willing to run with that flag and make
> > > it happen.
> > >
> > > Please let me know if I can be of any help in order to
> > > resolve this issue.
> > >
> > > TIA
> > >
> > Hi Francis,
> >
> > I am aware of HP/UX's trusted mode, but unfortunately
> > haven't put any effort into supporting it in Webmin, as I
> > don't have any HP/UX hardware of my own .. and it isn't
> > as popular an OS as Linux or Solaris.
> >
> > However, I would be glad to accept a patch to the Users
> > and Groups module to add trusted mode support. Or if you
> > could give me remote root access to a box with HP/UX
> > installed, I should be able to update Webmin to support
> > it.
> >
> > - Jamie
> >
> > ----------------------------------------------------------
> > --------------- Using Tomcat but need to do more? Need to
> > support web services, security? Get stuff done quickly
> > with pre-integrated technology to make your job easier
> > Download IBM WebSphere Application Server v.1.0.1 based on
> > Apache Geronimo
> >
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > -
> > Forwarded by the Webmin mailing list at
> > web...@li... To remove yourself
> > from this list, go to
> > http://lists.sourceforge.net/lists/listinfo/webadmin-list
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> -
> Forwarded by the Webmin mailing list at web...@li...
> To remove yourself from this list, go to
> http://lists.sourceforge.net/lists/listinfo/webadmin-list
|
