HPE Community
Operating System - Linux
1752378 Members
6939 Online
108788 Solutions
New Discussion юеВ

Re: RHEL4.8 how to allow a null password

 
SOLVED
Go to solution
Matt Shaffer_1
Regular Advisor

тАО07-15-2009 04:24 AM

тАО07-15-2009 04:24 AM

RHEL4.8 how to allow a null password

We run a cobol app on top of our RHEL OS. The app has it's own security(login/password combo) so I want to allow for a null OS password or maybe what I want is to skip the OS password all together. I've been trying different things in pam.d but haven't had success. Any ideas? Thanks.
0 Kudos
Reply
7 REPLIES 7
Goran┬аKoruga
Honored Contributor

тАО07-15-2009 05:15 AM

тАО07-15-2009 05:15 AM

Re: RHEL4.8 how to allow a null password

Hello.

Did you try "nullok" option for pam_unix module?

Goran
0 Kudos
Reply
Matt Shaffer_1
Regular Advisor

тАО07-15-2009 09:18 AM

тАО07-15-2009 09:18 AM

Re: RHEL4.8 how to allow a null password

Maybe I should be more specific. I am telneting as a root user. Below is some detail:

B0010-> grep -l nullok *
system-auth
xscreensaver

B0010-> cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so

password required /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so

thanks for the help
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО07-15-2009 09:39 AM

тАО07-15-2009 09:39 AM

Solution

Re: RHEL4.8 how to allow a null password

Shalom,

Look at the user profiles of bin and some of the daemons in /etc/passwd

Perhaps you could duplicate one of them, change the UID and GID and get something that is never used for login.

Or you can start this product as follows:

/bin/su - c username "command to start daemon"

This would if run by root bypass the OS password.

It would require root access, but an admin or cron can do the job.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Goran┬аKoruga
Honored Contributor

тАО07-15-2009 09:15 PM

тАО07-15-2009 09:15 PM

Re: RHEL4.8 how to allow a null password

Ahh check logs, I suspect your problem is "securetty" - a message in logfiles will confirm it.

Goran
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

тАО07-15-2009 10:30 PM

тАО07-15-2009 10:30 PM

Re: RHEL4.8 how to allow a null password

I once did something similar by configuring telnetd to start a custom script instead of a "login" program. That script would then setup the necessary environment and then use "su - username command" to start the application as a specific user dedicated to that purpose.

Of course, there is the side effect that you cannot use the same port for normal logins at all: any telnet login is automatically directed to the application instead.

You *could* choose to dedicate telnetd for the use of this COBOL application only, and use SSH or other login methods for system administration. Or you could set up a second copy of telnetd in a custom port: in that case it's your choice whether you put the regular telnet access or the application-customized version to the custom port.

To create a second copy of the telnet service:
1.) Assign a service name for your custom port in /etc/services, for example:

customtelnet 2323/tcp

2.) Copy the telnet service configuration file and edit its service definition to
refer to your custom service name:

cp /etc/xinetd.d/telnet /etc/xinetd.d/customtelnet

edit /etc/xinetd.d/customtelnet to change the "service telnet" line to "service customtelnet"

3.) run "service xinetd restart" or send a HUP signal to the xinetd process.


To make the telnet service start your application (or its startup script, if necessary):
1.) edit the telnet service definition in /etc/xinetd.d (either the standard or custom one, your choice) to add a "server_args" line to the service definition.

For example:
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
server_args = -L /usr/local/bin/your-app-startup-script
log_on_failure += USERID
disable = no
}

(Note: with a quick reading of telnetd man page, it looks like you may have to add the "-a off" option to the server_args line too. I don't have a RHEL4 machine I could use for testing this at the moment, so you'll have to check it yourself.)

(Note 2: changing the "user" line in the xinetd service definition to an application-dedicated userid would probably be more secure than using su in application startup script. But that may require some extra care in setting up the shell environment before starting up the application.)

MK
MK
Reply
Matt Shaffer_1
Regular Advisor

тАО07-17-2009 05:47 AM

тАО07-17-2009 05:47 AM

Re: RHEL4.8 how to allow a null password

Thanks to all for the suggestions. I think the mark is being missed though. Here is some more explanation. I need to be able to telnet as root (with root password) and get to the command line. And also telnet as super (root ID) with super password and go right into app. I've run passwd -d super to delete password but that didn't work. I moved super to top of /etc/passwd and moved root to second line. I am able to telnet as root but can't as super. I try to enter the app password but it isn't taking. Below are the /etc/passwd entries.

root:x:0:0:root:/root:/bin/ksh
super:x:0:200:root:/tmp:/usr/security/secure

thanks to all
Matt
0 Kudos
Reply
Matt Shaffer_1
Regular Advisor

тАО07-17-2009 06:24 AM

тАО07-17-2009 06:24 AM

Re: RHEL4.8 how to allow a null password

Here are 2 lines from /var/log/messages.

Jul 17 09:45:20 B0010 remote(pam_unix)[7842]: authentication failure; logname= u
id=0 euid=0 tty=pts/1 ruser= rhost=mshaffer-laptop.wescodist.com user=super
Jul 17 09:45:22 B0010 login[7842]: FAILED LOGIN 1 FROM mshaffer-laptop.wescodist
.com FOR super, Authentication failure

Jul 17 09:47:47 B0010 remote(pam_unix)[7845]: session opened for user root by (u
id=0)
Jul 17 09:47:47 B0010 -- root[7845]: ROOT LOGIN ON pts/1 FROM mshaffer-laptop.w
escodist.com
Jul 17 09:59:50 B0010 remote(pam_unix)[7845]: session closed for user root
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.