topic Re: 'xxx' in password field for sam_exec in Operating System - HP-UX

'xxx' in password field for sam_exec

Ron Levy — Fri, 06 Sep 2002 20:25:01 GMT

What's the reasoning behind the 'xxx' in the password field for the 'sam_exec' account under 11.0? Is it secure? And if the goal was to be secure, why wasn't a '*' used to indicate no standard logins on that account?
Thanks,
-Ron Levy

Re: 'xxx' in password field for sam_exec

Ted Ellis_2 — Fri, 06 Sep 2002 20:31:47 GMT

hmmm... we run 11.0 and there is no sam_exec user on our systems. Are you a trusted system? If so, we do not use that and I would not know the answer. One thing though... xxx in the password field is just as secure as *... it is an entry that does not meet the qualifications for a properly encoded password... ie. it requires the salt and 11 characters, for a total of 13 characters to be something that could be decoded. If you want, you can always run passwd -l sam_exec to lock down the account with the normal * entry. Either way this account is not getting logged into

Re: 'xxx' in password field for sam_exec

Craig Rants — Fri, 06 Sep 2002 20:33:08 GMT

Are you sure that you are running 11.00. The sam_exec account is a 9.00 thing...

HP-UX release 9.0 contains some significant enhancements related to the
remote management of network security. In particular, SAM now contains
a Remote System Administration area that allows system management to
remotely administer networked systems.

Although this feature has only recently been released, preliminary
investigation has revealed the following:

When remote system administration is requested, SAM logs in to the
remote system, and creates a new account on the remote system (you
must provide the root password to the remote system to do this).

The new account is created with user name sam_exec, UID=0 and GID=1,
and is created with a copy of the root password currently used on the
remote system. This new account is used by SAM whenever logging in to
the remote system.

While not in itself a problem, this seems to be very lightly (if at
all) documented at present.

Don't know why you would need this on 11.0

GL,
C

Re: 'xxx' in password field for sam_exec

Ted Ellis_2 — Fri, 06 Sep 2002 20:35:05 GMT

maybe a copied password file during a system upgrade perhaps?

Re: 'xxx' in password field for sam_exec

Michele Macintire — Mon, 09 Sep 2002 10:33:18 GMT

We have a 10.20 server that was used as the primary place to lauch sam for several other servers of that application family. The other 4 servers associated with it are 11.00.

When, in SAM, you choose "Run SAM on Remote Systems" and then use the next screen's "Action" drop down list to "Add System", it will add the sam_exec account to the system you are choosing to add. This feature is still available in 10.20, 11.00 and 11.11 (11i).

Our 11.00 servers are in trusted mode, so the password field does show up as an '*' for sam_exec. The 10.20 server has 'xxx' as the password. I'm assuming, although I have no documentation to prove it, that the 'xxx' was just a way to lock the account so that no one could log in using that account.

Hope that helps!
Michele