My question was:
> We want to install C2 enhanced security on a system that already has about
> 2400 accounts. We're running Digital Unix 3.2B. We'll try it out on a
> spare system with no actual users, first.
>
> We're reading the manuals now, but if anybody can share war-stories,
> gotcha's, etc., I'd really appreciate it.
>
> Thanks!
Sorry this has taken so long. We're now running C2, so here's a combined
summary of the email answers I received, with a few things we found out
for ourselves at no additional charge:
* On OSF 3.0, C2 didn't play nice with NIS. Could be made to work, once
several DEC patches were installed, but lots of pain. Later versions
probably work. (We don't use NIS.)
* One person reported having to reinstall C2 after upgrading from 3.0 to
3.2.
* On their first login after installing C2, users must enter only the first
8 characters of their passwords. After that, allowable password length
is controlled by local policy.
* By default, C2 will lock an account after a certain number of unsuccessful
login attempts. This, along with the need to truncate to 8 characters on
the first login after C2 installation, leads to an interesting time for
the user support staff.
* There's an option to allow the system to generate random passwords when
a user changes his/her password. The trouble is the length: If you set
the maximum password length fairly large to allow nice long pass-phrases,
the generated passwords will be ridiculously long.
* One person reported unacceptable performance. I suspect they had auditing
cranked up. You can have it log events down to the syscall level, which
I'm sure would have an effect. We chose not to do that, and haven't
noticed any performance problem.
* One person recommended getting DEC's unsupported utility "convuser" for
converting between the BASE (/etc/passwd) and C2 authorization database
(/tcb/files/auth/*). We never needed this, so we didn't try to find it.
* The installation procedure does NOT replace the old password field in
/etc/passwd with asterisks, so old passwords still in there remain
vulnerable to dictionary attacks. Doubtless this was done so the customer
could decide whether and when to break programs that aren't C2-aware.
The shadow password feature was our main reason for going with C2, so
we had to do this ourselves.
* Various freeware and other 3rd party software isn't C2-aware:
* IMAP email access protocol that comes with Pine 3.91 or with the
just released Pine 3.92.
* POP2, POP3 servers that came with Pine 3.91 and 3.92
Solution: popper v2.1.4-r3 from Qualcomm
ftp://ftp.qualcomm.com/quest/unix/servers/popper/qpop2.1.4-r3.tar.Z
* WUFTP - I hear patches are available, but we're not providing
anonymous ftp on the system we needed C2 on, so DEC's ftp works
ok for us.
* SUDO, a utility for allowing controlled access to root, just happily
uses the password from /etc/passwd. There are comments in the code
implying that it works with C2, but our version doesn't seem to.
We've gone back to using "su", for now. Note that C2 audit logs
record the original username, even when you use su. This makes sudo
less necessary than before.
* Custom scripts for adding new users will need changes. This turned out
not to be all that difficult, as you can just create the auth database
file for a user with a minimum amount of information, and let system
defaults and the "passwd" program fill out the rest.
* Guy Weeks reported losing access to root. This never happened to us,
but here's Guy's procedure to protect against this possibility:
- make a copy of /etc/passwd
- run secsetup. As illustrated in the man pages.
- cd /tcb/files/auth/r
- cp root root.old
- vi root and remove the u_pwd entries (this removes roots password)
eg: :u_pwd=x453534sdfgdf43453sg345:\
will now look like :u_pwd=:\
- We were told by Digital that the ttys file sometimes gets corrupted
(this has never happened to us) so I made a copy of /etc/auth/system/ttys
- Restart the server and provide a new root password.
- This should work well.
- If not you can run secsetup again and move back to base without any
problems because you have the passwd file.
- if you have to go back to base I would remove the /tcb/files/auth/*
files before trying to move to enhanced again.
* The X-windows management utilities, XIsso and XSysAdmin, have no
character-mode equivalent, so it's a good thing we have DEC's eXcursion
X server for Windows, and 17 inch monitors on the sysadmins' pc's. You
probably could get by editing the text database files directly, but I'm
glad I don't have to. These utilities are amazingly slow, unreliable,
and poorly documented. I don't think you can blame it on eXcursion.
There are supposed to be command-line equivalents coming in Digital Unix
V4.0. I hope so. These are an insult to the customer.
* XIsso includes a section which purports to allow you to choose secondary
groups for an account, but it doesn't seem to have any actual effect,
except wasting your time. Edit the /etc/group file as you've always done.
* The audit reporting tools are extremely slow. We haven't fiddled with
them enough yet to tell you any more than that.
* Despite all the whining, I'd say we're far better off with C2 than
we were without it.
* If all you want is shadow passwords, there's a trick where you can use
local NIS to simulate them. If you want more details, let me know and
I'll put you in touch with the person who mentioned this to me.
Thanks to the following for their answers:
Jon Buchanan <Jonathan.Buchanan_at_ska.com>
m_beltramo_at_scomp1.sonda.cl (Marcelo Beltramo)
Martin Fong <martinf_at_infosys7.infosys.unsw.edu.au>
"Lynn L. Blankenship" <lblank_at_chakotay.au.af.mil>
Gyula Szemenyei <szemgy_at_rkk.hu>
Foc <foc_at_intac.com>
Don Newcomer <newcomer_at_dickinson.edu>
Larry Griffith <larry_at_garfield.wsc.mass.edu>
David Wood <dbform_at_oanet.com>
Pat Wilson <paw_at_phibes.dartmouth.edu>
"Anil Khullar, Computer Center" <Anil.Khullar_at_mailhub.gc.cuny.edu>
Guy Weeks <geweeks_at_mohmail.hlth.gov.bc.ca>
grscott_at_grscott.is.ge.com
Darren Bock <dbock_at_pacstar.com.au>
Apologies to any I missed!
--
-- Phil Rand <prand_at_spu.edu> aka <postmaster_at_spu.edu>
-- http://paul.spu.edu/~prand/ (206) 281-2428
-- Computer & Information Systems
-- Seattle Pacific University
-- 3307 3rd Ave W, Seattle, WA 98119
---------------------------------------------------------------------------
Received on Wed Apr 03 1996 - 02:44:10 NZST