topic Re: avoid lost password in Operating System - HP-UX

avoid lost password

ust3 — Tue, 30 Oct 2007 02:41:42 GMT

I have this exprience , when I want to change the user password by "passwd userid " but I miss to input the userid , then it change the root password , so I can't login root user again , I hv to do something to resume the root password , therefore , I would like to ask is there any good method to prevent this mistake in advance , so that I still can login as root when the password is lost ? thx

Re: avoid lost password

Dennis Handly — Tue, 30 Oct 2007 02:45:59 GMT

Make sure you use "/usr/bin/passwd" if you don't want to destroy the root password.

>so that I still can login as root when the password is lost

You can always go into single user mode and reset the password.

Re: avoid lost password

ust3 — Tue, 30 Oct 2007 03:17:51 GMT

thx reply ,

"go into single user mode" need reboot the system , I think it is the worst case , so I would like to find a good method in advance I make that mistake .

thx.

Re: avoid lost password

Torsten. — Tue, 30 Oct 2007 03:21:34 GMT

There are some pros and cons, but consider to create another superuser for case of emergency and store the password on a safe place.

see
man passwd

"Multiple superusers are allowed, but are strongly discouraged. That is because the system often stores user ID rather than user name. Having unique IDs for all users will guarantee a consistent mapping between user name and user ID."

Caution: Never delete this account with SAM!

Re: avoid lost password

Dennis Handly — Tue, 30 Oct 2007 03:24:12 GMT

>I think it is the worst case, so I would like to find a good method in advance I make that mistake.

Well, I'm not sure this is any better security wise but you always add another superuser.
You can just copy root's line to another with a different name.

(Of course the best way is to learn from your mistakes. ;-)

Re: avoid lost password

Torsten. — Tue, 30 Oct 2007 03:25:51 GMT

Another way would be to use a "special" user (your personal account?) in conjunction with SUDO. see
http://hpux.asknet.de/hppd/hpux/Sysadmin/sudo-1.6.8p12/

Re: avoid lost password

Marcel Burggraeve — Thu, 01 Nov 2007 04:09:35 GMT

Just wondering, why can't you login with root anymore after this mistake ?
All you need to do is use the new password which you had just provided when you typed passwd without the userid.

Best way to 'avoid' this issue is to start realising using root is a potential danger and think twice or even more before you press enter after typing a command.
Changing the password is not such a big deal but eg a typo with rm can be a total disaster.

Re: avoid lost password

whiteknight — Thu, 01 Nov 2007 04:30:47 GMT

ust3,

You may consider setup root equivalent as a standby in case you root password lost.

WK

Re: avoid lost password

A. Clay Stephenson — Thu, 01 Nov 2007 09:14:46 GMT

I don't really have much sympathy for this kind of mistake --- there is feedback in the loop so don't do it again. Generally this kind of dumb mistake occurs when an administrator routinely logs in as root rather than logging in as a regular user and only su's to root when needed and then immediately reverts to a normal user.

Haviing multiple UID 0 accounts is considered very poor practice so I wouldn't go that route. You might consider setting up a sudo'ed command that will let you as a regular user run the passwd command as root.

Re: avoid lost password

A. Clay Stephenson — Thu, 01 Nov 2007 09:14:54 GMT

I don't really have much sympathy for this kind of mistake --- there is feedback in the loop so don't do it again. Generally this kind of dumb mistake occurs when an administrator routinely logs in as root rather than logging in as a regular user and only su's to root when needed and then immediately reverts to a normal user.

Having multiple UID 0 accounts is considered very poor practice so I wouldn't go that route. You might consider setting up a sudo'ed command that will let you as a regular user run the passwd command as root.

Re: avoid lost password

Patrick Wallek — Thu, 01 Nov 2007 09:23:18 GMT

I have to agree with A. Clay! The way to avoid it is to not make the mistake in the first place.

This should be VERY easy to avoid. If you are changing passwords for a user, when logged in as root, and forget to put the user-id on the command line, well that is your own fault and no fault of the systems.

Doing 'passwd ' should not be that hard to remember.

Now, that being said, I have sudo set up on ALL my machines (HP-UX and Linux) and ALWAYS use 'sudo su -' to log in as root. I don't even know the root password to my machines. It changes automatically daily. So far I have had no problems with using sudo to login as root.

I also agree that having multiple UID 0 accounts is a very BAD idea. It is considered a high security risk in any system audit.

Re: avoid lost password

Steven E. Protter — Thu, 01 Nov 2007 09:25:14 GMT

Shalom,

There is no reason to use root to reset user IDs.

The root user account is supposed to be used to administer the system not operate it.

You can use the sam restricted shell and grant password reset power to an operator user and let them use sam to reset the password.

SEP

Re: avoid lost password

Patrick Wallek — Thu, 01 Nov 2007 09:36:06 GMT

>>>There is no reason to use root to reset user IDs.

root is the only id that can reset other users passwords.

>>>The root user account is supposed to be used to administer the system not operate it.

Passwords are part of sys admin, at least in my mind.

>>>You can use the sam restricted shell and grant password reset power to an operator user and let them use sam to reset the password.

This is just doing what it needs to do as root in the background.

Re: avoid lost password

Ralph Grothe — Thu, 01 Nov 2007 09:54:32 GMT

Just to take up Torsten's suggestion,
sudo is really making this easy by avoiding the mess more than one super user accounts are prone to cause, and with the added benefit of logging.

Grab ixSudo from HP's Internet Express
because it is easiest to install.

In the provided sudoers file, which you must edit only via visudo,
there's already rules for a group called wheel
(I think they have adopted this naming from FreeBSD)
If it doesn't already exist create it with groupadd wheel.
Then add any user who occasionally requires root privileges to group wheel (usermod -G wheel ),
and uncomment any of these two (depending if you want your users to authorize by their password or not (for the latter the NOPASSWD stanza would apply)).
Of course you are free to do this with any other group name if you don't fancy wheel.

# grep wheel /opt/iexpress/sudo/etc/sudoers
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
# %wheel ALL=(ALL) NOPASSWD: ALL