topic Re: single user mode locked in Operating System - HP-UX

single user mode locked

Donny Jekels — Tue, 27 Jan 2004 19:33:01 GMT

Someone has locked one of the boxes to request a logon at single user mode, while sconverting to trusted system.

Now I can't login to single user mode, not even with the correct root password.

Does anyone know how to change this back.

Note, we cannot convert to untrusted mode, this is a production systyem.

Thank you.
Donny

Re: single user mode locked

Patrick Wallek — Tue, 27 Jan 2004 20:19:07 GMT

If you can log in as root in multi-user mode, then you can change this via SAM.

Re: single user mode locked

kamal_9 — Tue, 27 Jan 2004 20:48:31 GMT

HI Donny
Can you able to login to the machine in normal mode .if not in single userboot where it asking for password

Re: single user mode locked

Donny Jekels — Tue, 27 Jan 2004 20:55:46 GMT

i can log in with roots password in multi user mode, no problem.

when it gets to single user mode it ask for a login, which I assume is root, and then a password. no go. and I am using the same password for root as when its in multiuser mode. i tried all sorts of combo's, even without password.

wierd. often wondered who gave the programmer at hp this wonderfull idea to build this feature. :-(

Re: single user mode locked

Ermin Borovac — Tue, 27 Jan 2004 22:33:57 GMT

To disable password in single-user mode, fire up SAM and go to:

Auditing and Security->System Security Policies->General User Account Policies

Then uncheck the box:

Require Login Upon Boot to Single-User State

Re: single user mode locked

Sridhar Bhaskarla — Tue, 27 Jan 2004 23:54:59 GMT

Hi Donny,

Ermin got it. Through command line it is

/usr/lbin/modprdef -m bootpw=NO

-Sri

Re: single user mode locked

Donny Jekels — Wed, 28 Jan 2004 10:27:25 GMT

Thank you all.

Re: single user mode locked

doug hosking — Thu, 29 Jan 2004 10:20:58 GMT

> wierd. often wondered who gave the
> programmer at hp this wonderfull idea to
> build this feature. :-(

The honest answer is 'repeated requests by several major HP customers.' As mentioned above, it's optional. HP doesn't force anyone to use it.

Imagine you're the sysadmin of university workstations. Would you want every freshman to be able to reboot them and get easy root access, have the ability to plant trojan horse versions of login on the system, change the passwords of the legitimate superusers, ... ?

Imagine your company uses a lot of temporary help, which may include people who have or will work for your competition. Do you want them to have easy root access to steal/corrupt/delete your critical data?

Obviously there are good and bad people everywhere. I'm not trying to stereotype or accuse anyone here. But the reality is that there are plenty of computer users who are less than friendly, and sysadmins need tools to help protect their systems from them. This is one small way to help meet that need. It may or may not be helpful in any given environment, which is why it's optional.

Re: single user mode locked

Donny Jekels — Thu, 29 Jan 2004 10:44:49 GMT

good point.

but why does the regular root password not work when this feature is enabled?

Re: single user mode locked

doug hosking — Thu, 29 Jan 2004 12:14:12 GMT

I can only guess re the password. One common problem relating to trusted mode conversions is that people don't understand the way standard mode passwords work.

If you have a password longer than 8 characters, traditional UNIX ignores anything beyond the first 8. If you set your password to abcdef12897, you can login with abcdef12993. The remaining characters are effectively thrown away when the 'encrypted password' is initially saved. Once thrown away, those bytes can never be recovered. This is unfortunately a limitation imposed by the historical format of a UNIX password file.

In trusted mode configurations, longer passwords are supported, and the characters beyond 8 ARE meaningful, but only if the password is changed AFTER the conversion to trusted mode. Until that change, you would need to type only the first 8 characters of the password, not the whole password, to get a match.

Another possibility is if the password in question contained special characters like
@ or #. Historically (in the days of paper-based terminals instead of CRTs) these two characters had special meaning as kill or erase characters. (Today, ^U, ^H or 'delete' are typically used instead.)
If your root password contained one or more of these special characters, it might be getting interpreted differently during boot authentication than it is during normal login. This would depend on specifics of the tty modes in effect at the time you typed the password.

My team at HP owns the code in question. I'd be very interested to know if either of the above explains the situation you encountered. (Obviously I'm not asking you to post your password or significant hints about it here.) HP support folks can reach me if there's info you'd like to share through a more private channel.

Re: single user mode locked

Donny Jekels — Thu, 29 Jan 2004 12:25:57 GMT

Okay,

our password has a few ! and ^ and $ and # signs in and the length is 15 digits.

I will re-enable the switch and test with the first 8 characters only.

will let you know if it works, by tomorrow.

Re: single user mode locked

donne007 — Thu, 29 Jan 2004 13:59:34 GMT

The other way around to disable with out untrusting the systenm is is edit the file /tcb/files/auth/r/root
and delete the entries corresponding to
:u_pwd=:\ ---> after deleting

:u_pwd=JEFuc345.7Uiw:\ --> before deleting

Hope this helps ..
Good luck
Asif