Many Thanks to the following people
Frank Wortner
Stan Horwitz
Nikola Milutinovic
Richard Frank
who enlighten me on the question I posted below. Most of them suggested to
consider the risk if I would retain the password from BASE and some point me
also on some of the gliches of setting the C2. Frank Wortner's response
gives a direct answer and provide a workaround on how to modify the convuser
script base on my need, which I will try later. Attached are the response
that I've got from them. Once again, Thank U very much.
*****Stan Horwitz
What you ask may be possible, but I am not sure. What I am sure about is
that it doesn't make much sense to have the passwords retained. Even if the
retained passwords become encrypted and hidden, the old passwd file with
those passwords in it might be in the possession of a hacker and thus, the
hacker can still try to crack those passwords. Moving from base to C2
security properly is an ideal excuse to get your users to change their
passwords.
***** Nikola Milutinovic
secsetup, a script used to setup C2sec, runs convauth and convuser. All user
accounts will be converted after that. You might run into something else.
1. You might have all user accounts locked. This shouldn't happen, but in
some weird situation it might.
2. All your normal users might have their passwords expired and they would
be prompted for a new password. These things shouldnt happen, but I've never
converted a runniing system I always configure C2 initially. If anything
like this bothers you, you're having problems with default C2 values. You
can inspect/change them with either
>dxaccounts (Templates - default) or with usermod command (see man usermod).
*****Richard Frank
This operation can be tricky. If you are committed to keeping the password
my advice is to change it to something in base security. Log out and in
again so you know it works. Then when you do C2 change it to the one you
like. Beware! passwords you are attached to may be unsecure for that reason.
*****Frank Wortner
No, because secsetup has already run convuser -a, moved the password to the
prpasswd database, and expired it. There's no valid password left for
convuser -a -u to convert. What you should do instead is edit
/usr/sbin/convuser -- it's a shell script -- find the line that invokes
convuser (about line 186):
[ ! -f /etc/auth/system/ttys.db ] &&
convauth
trap '' 2 3
convuser ${LCHG} -a || return 1
trap - 2 3
and change it to:
[ ! -f /etc/auth/system/ttys.db ] &&
convauth
trap '' 2 3
convuser ${LCHG} -a -u || return 1
trap - 2 3
Notice the added "-u" option.
A few lines lower (near line 202), you will find:
if [ "${REPLY}" != "${NoWord}" ]
then
convuser -n -c -a
else : true
fi
Change that to:
if [ "${REPLY}" != "${NoWord}" ]
then
convuser -n -c -a -u
else : true
fi
... and you are set!
I've done this in the past, and it has worked: passwords have been
preserved. However, the usual disclaimers apply: no guarantees, do at
your own risk, etc.
Hope this helps
Frank
Oginal Question:
Hi,
Im a newbie on this list and Unix as well so pardon for this inquiry as I
really need your enlightenment:
Tru64 4.0D
Trucluster 1.4
I understand that if I turn on C2 Security, it will run the convuser
automatically....However, If I want to retain the password from BASE, do I
need to run the convuser -a -u again?....Is there any way that i could
retain the password from BASE to C2?
But then if the password will retain, would it be encrypted in C2 (*)
Please enlighten me,
Thanks
Jenny
Jenny_sander_at_hotmail.com
Unix System Admin
______________________________________________________
Get Your Private, Free Email at
http://www.hotmail.com
Received on Wed Apr 12 2000 - 05:32:38 NZST