System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

password reqd for single user mode for 11.31

john guardian
Super Advisor

password reqd for single user mode for 11.31

Do I have to reboot the system in order to determine whether or not the system requires a password when booting to single user or is there a method to do so while the machine is already up and running in multi-user mode?

Thx.
4 REPLIES
Rita C Workman
Honored Contributor

Re: password reqd for single user mode for 11.31

Well...since when you reboot an HPUX system and disrupt the ISL to put it into single user mode, the answer is No it does not require a password at this point. This is the vehicle that is used to reset password on servers where the root password has gotten "lost or is unknow".

At least I hope I read your question correctly.
Now if you want to reset the root passwd, being logged in as root, while the box is up and running you just type "passwd".

If I have totally had a senior blonde moment and missed what you are trying to say..my apologies.

Regards,
Rita
john guardian
Super Advisor

Re: password reqd for single user mode for 11.31

Let's start over w/this:

System power is applied. Machine starts to boot. Can I set up a password requirement so that when I interrupt the ISL to boot into single user mode instead of multi-user, it will only boot to single user mode if the password is entered?

If yes, can that information be checked/accessed while the system is in multi-user mode via some facility like a GSP?
Earl_Crowder
Trusted Contributor

Re: password reqd for single user mode for 11.31

You can set BOOT_AUTH and BOOT_USERS in /etc/default/security to require a password to boot to single-user mode.

Access to the Console to cause a reboot would be protected by the security of the Management Processor.

man security(4)

Matti_Kurkela
Honored Contributor

Re: password reqd for single user mode for 11.31

You mentioned HP-UX 11.31, so you're talking about a pretty modern system. Of those, I think all models except the absolute-bottom-line rx2600s always come equipped with an iLO / MP.

Unlike their precedessor GSP, MP and iLO requires a password before you can even see a single line of PDC or EFI boot output, even on the local serial console.

If an unauthorized person gets past that to see the iLO/MP command prompt with administrator privileges, you've lost the game. With iLO/MP admin access, the intruder can:
- crash the system instantly with the RS command
- boot the system from a handy extra SCSI/FW disk, if the hardware connectors are accessible
- boot the system from a virtual media located on some other network-reachable host
- if you're on an Itanium and the EFI bootloader is password-protected, iLO/MP access can be used to reset the EFI/BMC password.

However: if the iLO/MP is password-protected but the local console connection and the iLO/MP reset button are accessible, the the intruder can perform an iLO/MP password reset.

(Hmm, unplugging all the server's power cables will obviously also reset the iLO/MP... but does that also allow the password reset procedure, or is the iLO reset the only way to that? May be hardware-model-dependent.)

Considering all that, the OS single-user-mode password simply does not look all that important any more.

The primary requirements for HP-UX 11.31 reboot security would seem to be:
1.) Don't allow unauthorized personnel physical access to the server hardware.
(This is a no-brainer.)

2.) The iLO/MP default username/password combinations are well-known Admin/Admin and Oper/Oper; change them.
(Another one that should be obvious.)

3.) If the serial console connection is cabled outside the server enclosure, protect it too: it's the master key to the iLO/MP password reset procedure, which gives up the keys to the kingdom.

(It's possible to reserve the serial console connection to initial system setup and hardware service actions only; all the rest can be done using the iLO/MP network console interface.)

4.) Although the iLO/MP network console interface can use encrypted protocols, connecting it to a secure network segment that is accessible by authorized sysadmins only would still be a good idea.

If you have a rx2600, it was possible to buy it without the iLO/MP option. If you have such a server, your boot security is mainly determined by the EFI/BMC password. In that case, the password recovery procedure is listed as "Contact HP"...

If I were deploying an iLOless rx2600 in an environment that would require protecting the system with an EFI/BMC password (as opposed to a securely locked server room or rack), I'd find out in advance if the reset procedure requires hardware manipulation, or if it's something that can be performed using just the serial console.

MK
MK