Trusted system - UNIX



TRUSTED SYSTEM - UNIX

1. To convert the system into trusted system the command is :

/usr/lbin/tsconvert

After converting it will create a directory /tcb/files/auth/*/*

Note: before converting into trusted system you have to modify /etc/nsswitch.conf file. In that file “passwd compact “ has to be changed into “passwd files”

To unconvert the trusted system with the following command:

/usr/lbin/tsconvert –r

Protected password database contains the following entries for the users:

username and userid

encrypted password

account owner

boot flag – whether a user can boot to single user mode or not

audit id and audit flag ( whether audit on or not )

min. time between password change

password max. length

password expiration time, after which password must be change

password lifetime, after which the account is locked

time of last successful and unsuccessful password change

absolute time ( date) when the account will expire

max. time allowed between logins before account is locked

no. of days before expiration when warning will appeared

whether passwords are user generated or system generated

whether triviality check is performed on user generated password

type of system generated passwords

whether null passwords are allowed for this account

user id of the last person to change the password, if not the account owner

time periods when the accounts can be used for login

the terminal or remote host associated with the last successful and unsuccessful

logins to this account

no. of unsuccessful login attempts; cleared upon successful logins

max. no. of login attempts allowed before account is locked

2. The same locking policy applicable to with shell ftp users and as well as ftp users without shell.

3.

Default password format policies:

System generates pronounceable - YES

System generates characters - NO

System generates letters only - YES

User specifies - YES

Default User Specified password:

Enable restricted password - NO

Allow Null password - NO

System generates password Length - 8 characters

Default Password Aging policies:

Password Aging - ENABLE

Time between Password change ( days ) - 0

Password expiration time (days) - 182

Password expiration warning time (days) - 7

Password file expiration (days) - 196

General user account policies:

Account life time ( days) - NONE ( infinite)

Maximum period of Inactivity on account (days) - NONE

Unsuccessful login retries allow - 3

Authorize user to boot to single user mode state - NO

4.

These above default policy parameters can be modified globally in the database as follows:

/usr/lbin/modprdef –m

i.e /usr/lbin/modprdef –m umaxlntr=20

NOTE: - for more details ref. ‘Modprdef’ Man pages.

getprpw (1M) getprpw (1M)

NAME

getprpw - display user's protected password database

USAGE

/usr/lbin/getprpw [-r] [-m option[,option]] logonid

OPTIONS

-r raw display of the protected database field values

-m display the value of the option given. If -m is not specified, all protected database

fields will be displayed.

Boolean values are returned as YES, NO, or DFT (default).

A -1 value indicates that the field is undefined.

The following values will be displayed or can be selected

using the -m option:

uid logonid's uid

bootpw boot authorization flag

audid audit id

audflg audit flag

mintm minimum time allowed between password changes

exptm password expiration time

lftm password lifetime

acctexp account expiration time

spwchg time of last successful password change

upwchg time of last unsuccessful password change

llog maximum time allowed between logins

expwarn password expiration warning time

usrpick user allowed to pick passwords

nullpw null passwords allowed

maxpwln maximum password length allowed

rstrpw restricted passwords - checked for triviality

syspnpw system generates pronounceable passwords

admnum administrative number assigned

syschpw system generates character only passwords

sysltpw system generates letter only passwords

timeod time of day allowed for login

slogint time of last successful login

ulogint time of last unsuccessful login

sloginy terminal of last successful login

uloginy terminal of last unsuccessful login

culogin consecutive number of unsuccessful logins

umaxlntr maximum number of unsuccessful logins allowed

alock administrative lock

lockout bit string representing reason account is disabled

1 = true, 0 = false

bit 1 password lifetime exceeded

2 time between logins exceeded

3 account absolute lifetime exceeded

4 unsuccessful logon attempts exceeded

5 null password set but not allowed

6 administrative lock

7 password is "*"

RETURN VALUES

0 success

1 user not privileged

2 incorrect use

3 protected database not found for user

NOTE. This is an undocumented command and not supported for direct use by

end users.

This documentation has been gathered from multiple sources, inferred or

developed empirically. No warranty is provided for its accuracy,

completeness or use.

---------------------------------------------------------------------------

getprdef (1M) getprdef (1M)

NAME

getprdef - display default database

USAGE

/usr/lbin/getprdef -r [-m option],option] [-b] [-p] [-t]

OPTIONS

-r raw display of the protected database field values

-m display the value of the option given. If -m is not specified,

all protected database fields will be displayed.

-b display password defaults

-p display time defaults

-t display login defaults

Boolean values are returned as YES, NO, or DFT (default).

A value of -1 indicates that the field is undefined.

The following values will be displayed or can be selected

using the -m option:

bootpw boot authorization flag

mintm minimum time allowed between password changes

exptm password expiration time

lftm password lifetime

llog maximum time allowed between logins

expwarn password expiration warning time

usrpick user allowed to pick passwords

nullpw null passwords allowed

maxpwln maximum password length allowed

rstrpw restricted passwords - checked for triviality

syspnpw system generates pronounceable passwords

syschpw system generates character only passwords

sysltpw system generates letter only passwords

umaxlntr max number of consecutive unsuccessful logins allowed

tmaxlntr max number of consecutive unsuccessful logins allowed

per terminal

dlylntr time delay between unsuccessful login attempts

lntmout login timeout in seconds

RETURN VALUES

0 success

1 user not privileged

2 incorrect use

NOTE. This is an undocumented command and not supported for direct use by

end users.

---------------------------------------------------------------------------

modprpw (1M) modprpw (1M)

NAME

modprpw - modify a user's protected database

USAGE

/usr/lbin/modprpw [-A][-E|V][-e|v][-k][-w][-x]

-[m opt=value[,opt=value]] logonid

modprpw updates the user Protected Database options with the values

specified.

It is the users responsibility to validate all options and values before

execution.

Any fields not specified remain unchanged in the database.

OPTIONS

-A Add a new user. Requires -m uid=value and returns the admin

number the user must use as a password to login the first time.

Logonid must not already exist and can not be used with

-k, -w or -x options.

-E Expire all passwords by removing the last successful login time

from all users. All users will need to enter new passwords at

next login. Loginid or any other options are not valid with

this option.

-e Expire the password of a specific logonid.

-k Unlock or re-enable a specific logonid.

-m Modify option specified below. If an invalid option is provided

"invalid-opt" will be displayed and processing terminated.

-m options are valid only with -A (add new user) or

-k (unlock user).

Boolean values are specified as YES, NO or DFT (default).

The value=-1 indicates that the value in the database is to be

removed, and the system default value used.

Options:

uid=value logonid's uid

bootpw=YES/NO boot authorization flag

audid=value audit id

audflg=value audit flag

mintm=value minimum days allowed between password changes

exptm=value password expiration time in days

lftm=value password lifetime in days

acctexp=value account expiration in calendar date format

llog=value maximum time allowed between logins in days

expwarn=value password expiration warning time in days

usrpick=YES/NO/DFT user allowed to pick passwords

nullpw=YES/NO/DFT null passwords allowed (NOT RECOMMENDED!)

maxpwln=value maximum password length allowed

rstrpw=YES/NO/DFT restricted passwords - checked for triviality

syspnpw=YES/NO/DFT system generates pronounceable passwords

syschpw=YES/NO/DFT system generates character only passwords

sysltpw=YES/NO/DFT system generates letter only passwords

admnum=value administrative number assigned

timeod=value time of day allowed for login

umaxlntr=value maximum number of unsuccessful logins allowed

alock=YES/NO/DFT administrative lock

The format of the timeod value is:

key0Starttime-Endtime,key1Starttime-Endtime,...

keynStarttime-Endtime

key has the value:

Mo - Monday Sa - Saturday

Tu - Tuesday Su - Sunday

We - Wednesday

Th - Thursday Any - all days

Fr - Friday Wk - Monday - Friday

Starttime and Endtime are hhmm 24 hour format times

where hh = 00 - 23, and mm = 00 - 59

-V Start password aging for all users by setting the last successful

login time to the curent time. No logonid or other arguments are

allowed.

-w Change the logonid's encrypted password. Not valid with any other

option.

Use: -w encrypted_password

-x Remove user's password and return an admin number the user must

logon with and pick a new password. Not valid with any other

option.

RETURN VALUES

0 success

1 user not privileged

2 incorrect use

3 protected database not found for logonid

4 can not change entry

NOTE. This is an undocumented command and not supported for direct use by

end users.

This documentation has been gathered from multiple sources, inferred or

developed empirically. No warranty is provided for its accuracy,

completeness or use.

---------------------------------------------------------------------------

modprdef (1M) modprdef (1M)

NAME

modprdef - modify default database

USAGE

/usr/lbin/modprdef -m option=value[,option=value]

modprdef updates the Default Database options with the values specified. It is the users responsibility to validate all options and values before execution.

Any fields not specified remain unchanged in the database.

OPTIONS

-m Modify option specified below. If an invalid option is provided

"invalid-opt" will be displayed and processing terminated.

Boolean values are specified as YES, NO.

Options:

bootpw=YES/NO boot authorization flag

mintm=value minimum days allowed between password changes

exptm=value password expiration time in days

lftm=value password lifetime in days

llog=value maximum time allowed between logins in days

expwarn=value password expiration warning time in days

usrpick=YES/NO user allowed to pick passwords

nullpw=YES/NO null passwords allowed (NOT RECOMMENDED!)

maxpwln=value maximum password length allowed

rstrpw=YES/NO restricted passwords - checked for triviality

syspnpw=YES/NO system generates pronounceable passwords

syschpw=YES/NO system generates character only passwords

sysltpw=YES/NO system generates letter only passwords

umaxlntr=value maximum number of unsuccessful logins allowed

tmaxlntr=value maximum number of consecutive unsuccessful

logins allowed per terminal

dlylntr=value time delay between unsuccessful login attempts

lntmout=value login timeout in seconds

RETURN VALUES

0 success

1 user not privileged

2 incorrect use

NOTE. This is an undocumented command and not supported for direct use by

end users.

This documentation has been gathered from multiple sources, inferred or

developed empirically. No warranty is provided for its accuracy,

completeness or use.





5. When you are converting into trusted system all the passwords will be expired. Your have to set the new passwords.

To check the consistency of the etc/password and trusted system password database, use the command:

/usr/sbin/authck

for more details see the man page of authck.

6. When system lockup(deactivate) users password, to activate the user password as follows:

from command line:

/usr/lbin/modprpw –k

with this command you can unlock the user a/c.

or

==

go to sam

select users

select the particular user to activate

go to Actions

reset the password, when reset the password system will automatically generates a new password, either you take that password or if you want to change the system generated password, select the modify option and first it will ask old password (system generated password) then choose option pick a password, and what ever password you want.

6. How to change the default options on the command level?

Refer man pages of “modpwdef”

7. Create a new user in the trusted system, when login first time what happens?

You can create users in trusted system, but you have to set a password for the user.

8. user cannot give the password.

User can change his password.

Note: Username and password should not be identical.

9. Ensure that 2 or 3 root logins are available while running tsconvert

10. Unsuccessful login details can be available in this path:

/var/adm/syslog/syslog.log

11. rlogin relevant questions?

You can login from other systems to trusted system by using rlogin.

If you failed to max. no of unsuccessfull logins – the a/c will be disable

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download