For brevity, I'll call anything that treats '@' and the other HP-UX default TTY control characters specially "@-sensitive", and anything that does not treat them specially "@-insensitive".
To cover all the bases, there are four possible situations:
- password is set using an @-insensitive method (e.g. a regular passwd command), and login is attempted using an @-insensitive method (OpenSSH and its derivatives, FTP... both assuming that the client-side does not use a unix-style TTY driver with HP-style ancient defaults): no problem.
- password is set using an @-sensitive method (some custom password-setting tool?), and login is attempted using an @-sensitive method: no problem, although your stored password is not what you think it is. (Anything up to and including the last '@' character is omitted from the stored password.)
- password is set using an @-insensitive method, and you're logging in using an @-sensitive method (HP-UX console or telnet login): A tricky problem. You'll need to escape that '@' somehow, or find an @-insensitive method that allows you to either change your password or overwrite the appropriate password file.
- password is set using an @-sensitive method, and you're logging in using an @-insensitive method: A small problem. Just use a shorter version of your password, omitting anything up to and including the last @ character. For example, if your password was 'aaa@x0', try logging in with just 'x0'.
> Simple, you just need to quote the "@" or "#", like "\@". You'll need to remember you can only use "\" for
> the cases where "@" is treated special.
Dennis, have you tested this? A backslash is the standard shell-level escape character, but in the console password prompt, there is no shell involved. When the login process is prompting for a password, it tells the tty driver to disable the echo feature (so the password will not be displayed on the terminal) but I don't think it changes anything else: the tty driver will still be in "cooked mode".
If my theory is correct, the password input comes from the console port hardware to the tty driver, which passes it to the process only after the Enter key is pressed. (This is what allows the special meaning of the @ character take effect in the first place.) The backslash escape processing built into the login binary cannot help here, as the process never receives the '@' character and any characters preceding it at all.
The solution would be the tty-driver-level escape character, known as lnext.
Unfortunately, man 7 termio has some bad news about the lnext character (emphasis mine):
"The special characters are assigned their default character values when the terminal port is opened. The default values used are those specified by the System V Interface Definition, Third Edition (SVID3), except for the WERASE (Ctrl-W) and LNEXT (Ctrl-V) characters which are set to _POSIX_VDISABLE to maintain binary compatibility with previous releases of HP-UX."
In other words: no lnext for you unless someone or something (e.g. a version of Bill's /etc/inittab addition) changes the tty default settings to enable it!
Gee, I know HP-UX is dedicated to maintaining backwards compatibility, but I think this might be going a little too far.
My suggestions to solve the problem:
Can you log in as some other user, fix the stty settings for that session (stty intr ^C erase ^H kill ^U), then use "su -" to gain root access?
If that is not possible... the original poster indicated the problem is in a 11.11 test system. 11.11 should have FTP enabled by default for all users, including root. A FTP server does not need a TTY driver to process its inputs: any command-line editing happens strictly client-side. This means it should be @-insensitive. If the target system has not been secured to disallow root FTP access, you could make a FTP connection as root from another host (if it's a HP-UX host, make sure *it* has sane, @-insensitive stty settings in the current session before making the attempt).
If you can log in with FTP, download the appropriate password file (/etc/passwd for standard mode; /tcb/files/auth/r/root for Trusted System Mode), edit it to remove the root password hash or to replace it with the hash of a known @-free password, then upload the modified password file back to the target system.
If FTP root logins have been blocked, it might be time to test the "lost root password" procedure. If the "booting to single-user mode requires authentication" feature has not been enabled (it's disabled by default), this is as simple as crashing the system and booting it to the single-user mode. 11.11 means PA-RISC, so the process on most server models is:
- interrupt the firmware boot process
- type "boot pri" to the PDC firmware boot prompt
- answer Y to the "interact with IPL/ISL?" question
- type "hpux -is" to the ISL> boot prompt
- wait for the system to boot
- once you reach the root shell, type "mountall" before doing anything else.
Workstation models may have some differences in step 2, but the general idea should be the same.
MK
