[HP-UX 10.20] root account disabled
Igor Sobrado Delgado
One user on our server has locked the root account trying to enter
guessing passwords on it (I have set some security features but
wanted it active only on the user's accounts). When I try to enter
as root I get the message:
$ su
Password: <I_put_here_my_passwd>
Account is disabled -- see Account Administrator.
$
I suppose I could enable again this account starting server on
maintenance mode (single-user mode), but I am not sure how to do
it without access to the root account. We have a HP 9000 C110
with HP-UX 10.20.
Any help would be greatly appreciated,
Igor.
--
Igor Sobrado Delgado (SysOp at condmat03) Physics undergrad student
E-mail: sob...@condmat1.ciencias.uniovi.es University of Oviedo
Asturias (SPAIN)
System Manager of the Theoretical and Condensed Matter Physics Clusters
John Pezzano
>
> Hi,
>
> One user on our server has locked the root account trying to enter
> guessing passwords on it (I have set some security features but
> wanted it active only on the user's accounts). When I try to enter
> as root I get the message:
>
> $ su
> Password: <I_put_here_my_passwd>
> Account is disabled -- see Account Administrator.
> $
>
> I suppose I could enable again this account starting server on
> maintenance mode (single-user mode), but I am not sure how to do
> it without access to the root account. We have a HP 9000 C110
> with HP-UX 10.20.
>
> Any help would be greatly appreciated,
>
> Igor.
You boot into single user mode. The account will not be disabled there.
I also believe you can login at the console (use the "No windows"
option).
Disabling the root account is not necessarily a good idea. It enables a
"denial of service" attack in that someone with no capability to get on
your system can prevent you from doing the same. More than that, an
attacker may continually and repeatedly lock out user accounts by
failing to login succesfully to the point that users (and administrators
who have to reset them) will get frustrated. Then managers will demand
that the feature be disabled because it slows down their employees'
productivity and the attacker can attempt to hack to his heart's
content.
Doug O'Leary
cited author.]
1. Walk up to the system console
2. Press return to get a login prompt.
3. Enter root
4. Enter the appropriate password,
5. Use sam to reenable root's account.
6. Use sam to lock the miscreant's account that locked root.
Lesson: Even if root is administratively locked, you can log in as root
on the console.
HTH.
Doug
--
==============
Douglas K. O'Leary
Senior System Admin
dkol...@mediaone.net
==============
Doug O'Leary
accounts to be incredibly stupid - more mouse clicks than the job really
needs. Along about November 96, I asked HP about it via their telephone
support. HP never came up with an answer, but while I was on the phone
with them, I did. The script below resulted from that answer. I later
found out that there is a command line option for reenabling user
accounts; however, it's not in the man pages anywhere and doesn't seem to
be supported by HP either - which makes me suspect that it might not be
in future versions of HPUX. Your call which one you use - the script,
the command line, or sam (although, sam's for weanies!).
A copy of my summary message to this newsgroup follows:
===================================================
Copy of a message sent to comp.sys.hp.hpux on/about 11/5/96.
Hello, all
Thanks for all the inputs. Most of them made mention of going through sam
to unlock the accounts. Others made mention of resetting the passwords. I
tried that and it doesn't work; the administrative lock is still there.
So, I ended up calling HP; they said "Go through SAM". I don't want to go
through sam because I have a fairly congested network and it's too bloody
slow. There has to be a way to go through the command line. HP was,
apparently, having some problems with finding the right command line so,
while I was on the phone with them, I started looking into it. (Side
note: According to HP, there is no command line option to unlock user
accounts)
The flag in the /tcb/files/auth/<letter>/<name> file that causes the lock
out is "u_numunsuclog" You sed that out of the file and the user can log
back in. I created a script that will do that for me. The script is below
should anyone else care to use it. Obviously, you'll have to run it as
root; however, if you can muck with the password file through SAM, you
probably already have root authority...
Hope this helps someone; Thanks again for all the tips and time.
Doug O'Leary
-------------------------------------
Doug O'Leary <dkol...@mayspeh.com>
May & Speh
1501 Opus Place
Downers Grove, IL, 60515-5713
708-719-0451
-------------------------------------
#!/bin/ksh
#############################################################
# unlock: Unlocks user accounts without going through the
# pain and agony of SAM
# Author: Doug O'Leary <dkol...@mayspeh.com>
# Created: 11/05/96
# Updated: 11/05/96: Initial creation
#############################################################
################ Usage function ###########################
usage()
{
print ""
print "usage: ${Cmd} USER_ID"
print ""
exit 1
}
############### Check args #############################
export PATH=/usr/bin
Cmd=$(basename $0)
if [ $# != 1 ]
then
usage
fi
User=$1
################ ID tcb pw file ###########################
Letter=$(echo ${User} | cut -c1)
File="/tcb/files/auth/${Letter}/${User}"
############### Make a backup of the original #############
Date=$(date +%y%m%d)
cp ${File} ${File}.${Date}
################ Eliminate the lock #######################
sed s/u_numunsuclog#[0-9]*://g ${File} > /tmp/temp$$
mv /tmp/temp$$ ${File}
===================================================
Havefun
booting in single-user mode. But U can change ROOT password, just enter:
passwd root. It works!
Don't know can this work for HPUX? U can try and post ur result here.
A.Y. Xu
SYSADM(ERP)
SPINDEX PRECISION ENGINEERING (SHANGHAI)
Igor Sobrado Delgado <sob...@condmat01.geol.uniovi.es> wrote in message
news:84qtv8$rcl$1...@news.si.uniovi.es...
> Hi,
>
> One user on our server has locked the root account trying to enter
> guessing passwords on it (I have set some security features but
> wanted it active only on the user's accounts). When I try to enter
> as root I get the message:
>
> $ su
> Password: <I_put_here_my_passwd>
> Account is disabled -- see Account Administrator.
> $
>
> I suppose I could enable again this account starting server on
> maintenance mode (single-user mode), but I am not sure how to do
> it without access to the root account. We have a HP 9000 C110
> with HP-UX 10.20.
>
> Any help would be greatly appreciated,
>
> Igor.
>
root
> Hi,
>
> One user on our server has locked the root account trying to enter
> guessing passwords on it (I have set some security features but
> wanted it active only on the user's accounts). When I try to enter
> as root I get the message:
>
> $ su
> Password: <I_put_here_my_passwd>
> Account is disabled -- see Account Administrator.
> $
>
> I suppose I could enable again this account starting server on
> maintenance mode (single-user mode), but I am not sure how to do
> it without access to the root account. We have a HP 9000 C110
> with HP-UX 10.20.
>
> Any help would be greatly appreciated,
>
> Igor.
>
> --
> Igor Sobrado Delgado (SysOp at condmat03) Physics undergrad student
> E-mail: sob...@condmat1.ciencias.uniovi.es University of Oviedo
> Asturias (SPAIN)
> System Manager of the Theoretical and Condensed Matter Physics Clusters
If you can boot your system into single user mode you will have access as
the root user by default. You should then be able to set your password
back to its old value re-enabling access to the root account.
Kind regards,
Robert Thorneycroft
Igor Sobrado Delgado
> As far as I know(at least Linux), U dont need to accessing ROOT account if
> booting in single-user mode. But U can change ROOT password, just enter:
> passwd root. It works!
>
> Don't know can this work for HPUX? U can try and post ur result here.
Hello,
You are right, when you boot on single-user mode you needs to know the
root account password, but you do not needs to access to the account
directly. I can try it, but I am sure you are right. The problem was
to unlock root account, I do not do it still but I will change it
today.
Thanks for your answer,
Igor Sobrado Delgado
> If you can boot your system into single user mode you will have access as
> the root user by default. You should then be able to set your password
> back to its old value re-enabling access to the root account.
Hi,
I am sure you are right, but I will try today another way to unlock the
root account on our server. I will go to the console (that is on other
building on the campus) and I will log as root from command line. Our
computers have a lot of users and I prefer not to reboot the servers.
Another example, when I change some configuration files I prefer to
look for the process identification number and send a SIGHUP signal
to the PID.
Thanks for your advice!
Igor Sobrado Delgado
> One other note: I always found using SAM to reenable locked user
> accounts to be incredibly stupid - more mouse clicks than the job really
> needs.
Thank you, again, for your detailed answer. I prefer too to work on command
line on all Unix and Unix-like operating systems, it is faster, you know
what you are doing and you have even more control on your operating
system. I agree with you,
Igor Sobrado Delgado
It is really easy of understand and really quick, better for me than
SAM to unlock user accounts.
And all you are right, I unlocked root account from console (I never
log as root and I have not tried to log from console when problem
happens).
Thanks!!!