topic Re: Root account deactivated in Operating System - HP-UX

Root account deactivated

Ricky_2 — Fri, 06 Jun 2003 01:50:57 GMT

Hi, I've a few trusted systems running on 10.20. How can I prevent the root account from being deactivated from too many failed login attempts? Thanks.

Re: Root account deactivated

steven Burgess_2 — Fri, 06 Jun 2003 01:57:31 GMT

Hi Ricky

/usr/lbin/tsconvert -r

Thats half the purpose of the trusted system, to disable an account following to many incorrect logins.

If you touch /etc/securetty it will stop remote logins and only allow direct access from the console

Sounds like to many people have root access

HTH

Steve

Re: Root account deactivated

Animesh Chakraborty — Fri, 06 Jun 2003 01:59:36 GMT

Hi,
Go to sam -> Audit & Security ->System security Policy -->General user account policy -->Unsuccessful Login Tries Allowed:_5_

Re: Root account deactivated

Ricky_2 — Fri, 06 Jun 2003 02:07:33 GMT

Hi, thanks for the prompt responses. It's just too bad that more than a few of us have the root access. I can't afford to go to single-user mode often because of a deactivated root account. Please advise on the way to totally deactivate this feature for root. Thanks.

Re: Root account deactivated

steven Burgess_2 — Fri, 06 Jun 2003 02:10:36 GMT

Hi Ricky

If the account gets locked you simply have to log in on the console to reactivate it. No single user is required

HTH

Steve

Re: Root account deactivated

T G Manikandan — Fri, 06 Jun 2003 02:10:47 GMT

If that was due to the unsuccessful login attempts

If you receive the message

"account is disabled but console login is allowed"

you can still login on the console and re-activate the root account.

Re: Root account deactivated

Ricky_2 — Fri, 06 Jun 2003 02:19:22 GMT

Hi, I couldn't log on even at the console when the root account was deactivated due to too many failed login attempts. Could it be due to the version (10.20) that I'm using? Or could it be due to the fact that the failed logins were sometimes attempted at the console? I understand that I can customise the login attempts allowed to a very large value like 99, but is there no other value, eg 0, that I can use to disable this feature? Thanks.

Re: Root account deactivated

Con O'Kelly — Fri, 06 Jun 2003 02:36:10 GMT

Hi Ricky

I think as Animesh pointed earlier in the thread out you can use SAM and for unsuccessful login tries, select customize & set to 0.

This should ensure you are allowed as many login attempts as you want, though from a security view point not really a good idea.

Cheers
Con

Re: Root account deactivated

Kiran Kumar Aekabote — Fri, 06 Jun 2003 03:20:58 GMT

Hi Ricky,

You change the root a/c policy, through SAM.
Run SAM and go to users-> select the "root" a/c from actions tab select Modify users security policies.

From this select the password ageing policies and set to "disable".

select General user account policies and set the following as:
1.A/c life time :None(infinite)
2.Max. inactive days: disable(default)
3.Unsuccessful login tries allowed: customize and value to be set to 0 (zero)
4.Authorised user to boot in single user mode : Yes