Security
cancel
Showing results for 
Search instead for 
Did you mean: 

how to reenable a disabled root account with enhanced security?

Eric van Dijken
Trusted Contributor

how to reenable a disabled root account with enhanced security?

While testingd with Enhanced Security, i came upon the following problem. When the root account is disabled. I am unable to enable it again. I have tried the following.

Booted the systeem into single user mode:
>>> b -fl s

Mounted all filesystems:
# mount –a

Started security services i think are needed:

# /sbin/init.d/inet start # /sbin/init.d/prpasswd start # /sbin/init.d/security start
# /sbin/init.d/sia start

Tried to unlock the root account with:

# usermod -x administrative_lock_applied=0 root

# init 3

Tried to login, but failed. The account is still disabled. And even says that console login is permitted, the login fails.

Yes, the password i used is correct.

Using Tru64 5.1B (PK4) in a 2 Node Trucluster configuration. (Yes, 2nd node is down)
Watch, Think and Tinker.
4 REPLIES
Eric van Dijken
Trusted Contributor

Re: how to reenable a disabled root account with enhanced security?

Looks like "usermod" isn't strong enough.
(or i am using it in a wrong way)

Unlock root account with "edauth"
#/usr/tcb/bin/edauth -g root \
| sed 's/:chkent/:u_lock@:chkent/s/:u_numunsuclog#.:/:/s/:u_numunsuclog#..:/:/' \
| /usr/tcb/bin/edauth -s

Thanks for yer time.
Watch, Think and Tinker.
Ann Majeske
Honored Contributor

Re: how to reenable a disabled root account with enhanced security?

Hi Eric,

There are several different ways that login to an Enhanced Security account can be disabled. The administrative lock is one, failed login count is another. If you look at the list of Enhanced Security user profile items in "man prpasswd" and the description of routine "locked_out_es()" you'll see that there are some combinations of settings of other fields that can cause logins to the account to be disabled as well.

One thing that will unlock the account about 9 times out of 10 is setting the grace limit on the account. This will bypass most of the combinations of settings that cause logins to the account to become disabled and the successful login will then most likely clear the disabling condition.

You can set the grace limit with dxaccounts by clicking on the unlock account button; with usermod by setting "-x grace_limit=n"; or with edauth by adding "u_grace_limit#n". I think the confusion comes in because the dxaccounts unlock button sets the grace limit as well as disabling the administrative lock, where with the other methods you have to do both separately.

Ann
Eric van Dijken
Trusted Contributor

Re: how to reenable a disabled root account with enhanced security?

Still if the root account is disabled, i am unable to login when console = graphics. The XDM screen accepts the login, but then either i am returned to the XDM screen or the X server crashes.....

but the biggest problem still persists, if the root account is disabled, without a backdoor(sudo) i am unable to re-enable the account again.

When i am able to bring down the system in a normal way using "halt" (not using the halt button) it works using the above methods.

When i use the "halt" button, i get strange results "No such account: root" and (if i recall correctly) "Unable to get an exclusive lock." after a very long time.... (ok 40 seconds, is long if yer waiting)

Can someone enlighten me?
Watch, Think and Tinker.
Eric van Dijken
Trusted Contributor

Re: how to reenable a disabled root account with enhanced security?

Think i have to list complete now:

# /sbin/init.d/evm start
# /sbin/init.d/security start
# /sbin/init.d/sia start
# /sbin/init.d/niffd start
# /sbin/init.d/netrain start
# /sbin/init.d/inet start
# /sbin/init.d/clu_alias start
# /sbin/init.d/prpasswd start

Watch, Think and Tinker.