SUMMARY: Shadow passwords

From: Bob Vickers <bobv_at_cs.rhul.ac.uk>
Date: Mon, 07 Jun 2004 15:56:53 +0100 (BST)

I received a wide variety of suggestions. It appears that the later
versions of Tru64 give quite a variety of authentication options, but
4.0G is much more limited so I need to upgrade if I am to take
advantage of them.

Possibilities include:
  LDAP
  Shadow passwords (though incompatible with other unixes)
  Microsoft NIS server
  Advanced Server for Unix (ASU)
 
I still haven't decided which route to go, none stands out as being
the clear winner.

Thanks go to
  Alaric Turner
  Thomas Sjolshagen
  Graham Allan
  Ann Majeske
  Damon Goforth
  Rich Fox
for their replies, which I have included below.

If you are runnign a Windows Domain MS have shipped a NIS server as a
FOC add on, I haven't played withit with Tru64 but it does work nicly
with Win2k Active Directory & Linux (debian 3 & Mandrake) so should work
with Tru64..

http://support.microsoft.com/default.aspx?scid=kb;EN-US;324083 gives
more info.

Alaric Turner

----
Advanced Server for Unix (ASU) would let you do this (Tru64 UNIX doesn't
support PAM, so not only would you need to write a PAM interface, you'd
need to interface it with SIA (the Tru64 UNIX Security Architecture). 
As you probably have a Campus license, ASU is probably the most cost
efficient way to go about getting Tru64 UNIX/Windows interoperability..
That, or LDAP..
Thomas Sjolshagen
----
Have you considered using an LDAP based authentication system? We are
using it for a variety of platforms including MacOS X, MacOS X server,
Tru64, Windows2K, and various flavors of Linux (including beowulf
clusters). It certainly has eased administering user accounts across our
systems. Our Tru64 systems are 5.1A though and I am not sure if the
previous versions are capable. I believe the LDAP package was included in
the Internet Express distributions.
Rich Fox
----
I'm no expert, but I still get the feeling that Tru64 C2 security is
incompatible with any other OS shadow passwords. I believe that in
Tru64 5.x you can turn on only the shadow password function of C2,
without all the otehr features, but it's still not compatible with
linux, etc.
We're looking at using LDAP to replace NIS here. Tru64 5.1B includes an
LDAP authentication module. For earlier versions, you can install one
from the Internet Express kit. This should give a common authentication
system between Tru64, Solaris and Linux. Not sure about Windows. Samba
can use LDAP for authentication, so if your Windows systems are in a
domain with a samba PDC, that should do it (and that's what we're
hoping will work here).
There do seem to be some glitches with the Tru64 LDAP auth stuff, eg
although we have it working, it doesn't seem possible to run it
securely (using an SSL connection to the LDAP server). or rather, there
are signs that this might be possible (from delving into the innards of
the binary) but no documentation on it, or help from HP. Having said
that, even without SSL it should be better than NIS or unshadowed
passwords!
Graham Allan
----
Later versions of Tru64 do have a "shadow password" option, but it is
basically Enhanced Security with most of the stuff turned off.  It will not
interoperate with the shadow password option on other versions of
UNIX.  You might want to read up on "Single Sign On" for V5.1B.
It may do some of what you want.  All of the Tru64 manuals are on-line
on the HP web site, you'd want to look in the "Security Administration"
manual for V5.1B.  The V5.1A Security Manual has some stuff that
apparently disappeared in the V5.1B manual, so you might want to look
at it too.  Tru64 doesn't support PAM, it has it own security architecture,
SIA.
Ann Majeske
----
Damon M. Goforth referred me to an older message from Jonathan
Williams (which Google fails to find!):
Sent: September 12, 2002 9:36 AM
To: tru64-unix-managers_at_ornl.gov
Subject: SUMMARY: Shadow Passwd file requires C2?
Ok...easy enough.  You DO need to enable C2 security...but there is an
option to ONLY add the shadow passwd functionality (I just used Sysman
to change the security settings).  I've done this on a test machine, and
everything seems OK so far.  Now it's time to read the secconfig man
page.  Thanks to the fast responses from: Rochelle Lauer, Ken Kleiner,
and Paul Sand
Jonathan Williams
-----Original Message-----
From: tru64-unix-managers-owner_at_ornl.gov
[mailto:tru64-unix-managers-owner_at_ornl.gov] On Behalf Of Bob Vickers
Sent: June 04, 2004 3:12 AM
To: Tru64 Unix Managers
Subject: Shadow passwords
Dear Tru64 Managers,
We have a mixture of Tru64, Linux, Solaris and Windows machines and I am
looking at ways of simplifying our authentication mechanisms.
It would be helpful if we could enable shadow passwords without all the
complication of enabling Enhanced Security. I am almost sure that some
time in the past I read that this is possible with later versions of
Tru64, but I have googled and looked in manuals and can't find any
reference to this. Is my memory letting me down? If it is possible could
someone point me to the documemntation that describes how to do it?
At the moment we are running 4.0G, but we could upgrade to a later
version if there were sufficient motivation.
Alternatively: is there a way of telling Tru64 to use a Samba PDC as
authenticator (perhaps by compiling our own PAM interface)? This looks
like the best option for Linux, Solaris and Windows.
Thanks for your time,
Bob
==============================================================
Bob Vickers                     R.Vickers_at_cs.rhul.ac.uk
Dept of Computer Science, Royal Holloway, University of London
WWW:    http://www.cs.rhul.ac.uk/home/bobv

Received on Mon Jun 07 2004 - 14:59:05 NZST