Integrity Servers
cancel
Showing results for 
Search instead for 
Did you mean: 

mp password management?

 
rleon
Regular Advisor

mp password management?

We have to change our mp passwords a few times a year.

I have been doing this using securecrt via a vb script. It works fine but still a pain..

There there any kind of mp password management tool that will can take care of a mix of models and versions of HPUX?
2 REPLIES 2
Mel Burslan
Honored Contributor

Re: mp password management?

Since mp or gsc has nothing to do with the unix portion of the server operation, there is no tool that I am aware of that can change the password. There is a way to reset the MP board to factory defaults or something close to that, by one command from HPUX prompt but anecdotal evidence says, performance resetting the board is spotty at best.

The only option doing this automatically is via something like you concocted already, an external machine running a script (likes of expect) but one can't wonder asking, why change the machine's hardware password instead of locking the access to MP ports or serial ports to a network which is not routable to remote networks likes of VPN or god forbid internet ? In any large data center I worked during the past 15-20 years, I have never had to change these passwords but in order to get to any of these, you have to jump through several machines to get access to the network they reside on, and passwords were always left at the default Admin/Admin or blank password. Just an idea. In case of a machine crash, last thing you need is scrambling to find the person with the latest MP passwords.
________________________________
UNIX because I majored in cryptology...
Bill Hassell
Honored Contributor

Re: mp password management?

Actually, this requirement is easy to solve. The passwords on the GSP, iLO and MP ports have little strength enforcement, most have no history, and the built-in web pages will trigger security alerts for html vulnerabilities. As mentioned, these ports have no connection with HP-UX, and therefore have none of the security features.

These ports are simple administrator interfaces to the processor ROMs and low level hardware controls (like power off and reset). These ports are no different than SAN switches, network switches and firewalls, UPS interfaces, iLO ports, and so on. These console ports lack even the simplest password standards and authentication controls -- and they won't or can't be fixed.

The solution is to immediately remove 100% of all console access methods from open subnets and create an unrouted diagnostic subnet. This subnet is completely invisible from any network in the company and can only be accessed by one or two high security boxes that have the diag LAN (unrouted). Now there can be extensive authentication in the diag subnet server which then allows access to critical console resources.

When you consider how much damage can be done with access to these ports, the diag LAN concept should be a critical retrofit for all data centers.


Bill Hassell, sysadmin