topic Re: Account/password problem on J2240 and J6000 series workstations. in Operating System - HP-UX

Account/password problem on J2240 and J6000 series workstations.

Mark Stewart — Mon, 23 Feb 2004 11:41:33 GMT

Running 11.x on both systems. The security settings we were forced to implement last year are apparently causing the root(and some user) accounts to be locked. The message when you try to login is:

"Account locked in the commercial security database."

I could simply reactivate normal user accounts, but the root is locked on a couple of the machines as well. In addition, the secure flag is set to on, so I can't just go to single user mode either. Anyway to fix this for root?

Re: Account/password problem on J2240 and J6000 series workstations.

Sridhar Bhaskarla — Mon, 23 Feb 2004 11:59:18 GMT

Hi,

By default, if you enabled trustedness on the system, the number of unsuccessful attempts would be set to 3 which is in most of the cases too less. So, you will often find the accounts being disabled. You can increase this number.

modprpw -m umaxlntr=10 root

About single user mode, you can disable it by running the command

modprpw -m bootpw=NO root

modprdef will change the system wide parameters which means all the users will inherit these values if they were not customized.

-Sri

Re: Account/password problem on J2240 and J6000 series workstations.

Steven E. Protter — Mon, 23 Feb 2004 12:01:41 GMT

This is not a standard message from trusted systems.

When my root account gets locked the message is Account diabled

Nothing more.

I suspect the presenece of third party software or scripting that you have not told us about yet.

You can if you have root access null out the root password.

Assuming the system is trusted, this is done like this:
vi /etc/files/auth/r/root
erase the data between the = and : on the u_pwd line.

Now root has no password.

Very quickly run the passwd command as root.

You also might have an unauthorized login attempt as root, such as a hacker, external or internal. I'm attaching a script that checks that.

SEP

Re: Account/password problem on J2240 and J6000 series workstations.

Mark Stewart — Mon, 23 Feb 2004 12:15:50 GMT

There is no third party script or anything that I am aware of.. If I try to rlogin into the machine as root from another machine, I do get the Account Disabled - See Administrator (which I find terribly ironic) message.

It has always been the case that accounts would display this message when locked, when trying to login via the CDE. It just magically happened with the password expirations on multiple machines over the weekend for root, which I've never had happen before. I caught the rest and preventatively changed their passwords so I wasn't totally shut out.

And yes, all machines are trusted systems. I will try your suggestions and see what happens. My normal login has root privlidges, but can't modify user accounts(that I know of) like root can - especially root's password. It seems like your trick just uses this privlidge to get to see/edit the password file.. Correct?

Re: Account/password problem on J2240 and J6000 series workstations.

Sridhar Bhaskarla — Mon, 23 Feb 2004 13:32:52 GMT

Hi,

No. These parameters are not specified in /etc/passwd file. There is a seperate trusted database under the tree of /tcb. You can find each account in the directory structure /tcb/files/auth//login

But I suggest you don't trick it by editing these files. modprpw/modprdef are for this purpose.

-Sri

Re: Account/password problem on J2240 and J6000 series workstations.

Mark Stewart — Mon, 23 Feb 2004 14:32:06 GMT

well, the problem was that I don't think that anyone TRIED logging in before they were locked.. it just locked it when they expired.. so i don't know what getting more attempts gives me..

Re: Account/password problem on J2240 and J6000 series workstations.

Mark Stewart — Wed, 17 Mar 2004 15:25:58 GMT

anyone have any other ideas on this? still having this problem..

Re: Account/password problem on J2240 and J6000 series workstations.

Floyd Curtis — Wed, 17 Mar 2004 17:28:47 GMT

See if you can login at the system console.
It may say account locked but login possible in no windows mode ... it should let you in
then try:

#modprpw -k root
#passwd root

good luck
fwc

Re: Account/password problem on J2240 and J6000 series workstations.

Mark Stewart — Thu, 18 Mar 2004 16:05:13 GMT

i ended up having to take the machine apart, boot to the boot menu system and turn secure mode off. I then reconnected the hard drives, booted to single user mode and changed the password(since it had expired). Then I rebooted back to the normal CDE login screen and opted to login on the command line. When you do this as root, it will actually let you login despite the account being disabled. I then went into sam and reactivated all accounts. For posterity, I temporarily disabled password aging until I could figure out what the proper settings should be.

Thanks for your help everyone though..