- Community Home
- >
- Servers and Operating Systems
- >
- Integrity Servers
- >
- Re: mp password management?
Integrity Servers
1753761
Members
4927
Online
108799
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-14-2011 12:17 PM
тАО03-14-2011 12:17 PM
mp password management?
We have to change our mp passwords a few times a year.
I have been doing this using securecrt via a vb script. It works fine but still a pain..
There there any kind of mp password management tool that will can take care of a mix of models and versions of HPUX?
I have been doing this using securecrt via a vb script. It works fine but still a pain..
There there any kind of mp password management tool that will can take care of a mix of models and versions of HPUX?
2 REPLIES 2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-14-2011 01:24 PM
тАО03-14-2011 01:24 PM
Re: mp password management?
Since mp or gsc has nothing to do with the unix portion of the server operation, there is no tool that I am aware of that can change the password. There is a way to reset the MP board to factory defaults or something close to that, by one command from HPUX prompt but anecdotal evidence says, performance resetting the board is spotty at best.
The only option doing this automatically is via something like you concocted already, an external machine running a script (likes of expect) but one can't wonder asking, why change the machine's hardware password instead of locking the access to MP ports or serial ports to a network which is not routable to remote networks likes of VPN or god forbid internet ? In any large data center I worked during the past 15-20 years, I have never had to change these passwords but in order to get to any of these, you have to jump through several machines to get access to the network they reside on, and passwords were always left at the default Admin/Admin or blank password. Just an idea. In case of a machine crash, last thing you need is scrambling to find the person with the latest MP passwords.
The only option doing this automatically is via something like you concocted already, an external machine running a script (likes of expect) but one can't wonder asking, why change the machine's hardware password instead of locking the access to MP ports or serial ports to a network which is not routable to remote networks likes of VPN or god forbid internet ? In any large data center I worked during the past 15-20 years, I have never had to change these passwords but in order to get to any of these, you have to jump through several machines to get access to the network they reside on, and passwords were always left at the default Admin/Admin or blank password. Just an idea. In case of a machine crash, last thing you need is scrambling to find the person with the latest MP passwords.
________________________________
UNIX because I majored in cryptology...
UNIX because I majored in cryptology...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-14-2011 04:29 PM
тАО03-14-2011 04:29 PM
Re: mp password management?
Actually, this requirement is easy to solve. The passwords on the GSP, iLO and MP ports have little strength enforcement, most have no history, and the built-in web pages will trigger security alerts for html vulnerabilities. As mentioned, these ports have no connection with HP-UX, and therefore have none of the security features.
These ports are simple administrator interfaces to the processor ROMs and low level hardware controls (like power off and reset). These ports are no different than SAN switches, network switches and firewalls, UPS interfaces, iLO ports, and so on. These console ports lack even the simplest password standards and authentication controls -- and they won't or can't be fixed.
The solution is to immediately remove 100% of all console access methods from open subnets and create an unrouted diagnostic subnet. This subnet is completely invisible from any network in the company and can only be accessed by one or two high security boxes that have the diag LAN (unrouted). Now there can be extensive authentication in the diag subnet server which then allows access to critical console resources.
When you consider how much damage can be done with access to these ports, the diag LAN concept should be a critical retrofit for all data centers.
Bill Hassell, sysadmin
These ports are simple administrator interfaces to the processor ROMs and low level hardware controls (like power off and reset). These ports are no different than SAN switches, network switches and firewalls, UPS interfaces, iLO ports, and so on. These console ports lack even the simplest password standards and authentication controls -- and they won't or can't be fixed.
The solution is to immediately remove 100% of all console access methods from open subnets and create an unrouted diagnostic subnet. This subnet is completely invisible from any network in the company and can only be accessed by one or two high security boxes that have the diag LAN (unrouted). Now there can be extensive authentication in the diag subnet server which then allows access to critical console resources.
When you consider how much damage can be done with access to these ports, the diag LAN concept should be a critical retrofit for all data centers.
Bill Hassell, sysadmin
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP