HPE Community
Operating System - HP-UX
1836584 Members
1651 Online
110102 Solutions
New Discussion

avoid lost password

 
ust3
Regular Advisor

‎10-29-2007 07:41 PM

‎10-29-2007 07:41 PM

avoid lost password

I have this exprience , when I want to change the user password by "passwd userid " but I miss to input the userid , then it change the root password , so I can't login root user again , I hv to do something to resume the root password , therefore , I would like to ask is there any good method to prevent this mistake in advance , so that I still can login as root when the password is lost ? thx
0 Kudos
Reply
13 REPLIES 13
Dennis Handly
Acclaimed Contributor

‎10-29-2007 07:45 PM

‎10-29-2007 07:45 PM

Re: avoid lost password

Make sure you use "/usr/bin/passwd" if you don't want to destroy the root password.

>so that I still can login as root when the password is lost

You can always go into single user mode and reset the password.
0 Kudos
Reply
ust3
Regular Advisor

‎10-29-2007 08:17 PM

‎10-29-2007 08:17 PM

Re: avoid lost password

thx reply ,

"go into single user mode" need reboot the system , I think it is the worst case , so I would like to find a good method in advance I make that mistake .

thx.
0 Kudos
Reply
Torsten.
Acclaimed Contributor

‎10-29-2007 08:21 PM

‎10-29-2007 08:21 PM

Re: avoid lost password

There are some pros and cons, but consider to create another superuser for case of emergency and store the password on a safe place.

see
man passwd

"Multiple superusers are allowed, but are strongly discouraged. That is because the system often stores user ID rather than user name. Having unique IDs for all users will guarantee a consistent mapping between user name and user ID."

Caution: Never delete this account with SAM!

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎10-29-2007 08:24 PM

‎10-29-2007 08:24 PM

Re: avoid lost password

>I think it is the worst case, so I would like to find a good method in advance I make that mistake.

Well, I'm not sure this is any better security wise but you always add another superuser.
You can just copy root's line to another with a different name.

(Of course the best way is to learn from your mistakes. ;-)
0 Kudos
Reply
Torsten.
Acclaimed Contributor

‎10-29-2007 08:25 PM

‎10-29-2007 08:25 PM

Re: avoid lost password

Another way would be to use a "special" user (your personal account?) in conjunction with SUDO. see
http://hpux.asknet.de/hppd/hpux/Sysadmin/sudo-1.6.8p12/

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
0 Kudos
Reply
Marcel Burggraeve
Trusted Contributor

‎10-31-2007 09:09 PM

‎10-31-2007 09:09 PM

Re: avoid lost password

Just wondering, why can't you login with root anymore after this mistake ?
All you need to do is use the new password which you had just provided when you typed passwd without the userid.

Best way to 'avoid' this issue is to start realising using root is a potential danger and think twice or even more before you press enter after typing a command.
Changing the password is not such a big deal but eg a typo with rm can be a total disaster.
0 Kudos
Reply
whiteknight
Honored Contributor

‎10-31-2007 09:30 PM

‎10-31-2007 09:30 PM

Re: avoid lost password

ust3,

You may consider setup root equivalent as a standby in case you root password lost.


WK
Problem never ends, you must know how to fix it
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎11-01-2007 02:14 AM

‎11-01-2007 02:14 AM

Re: avoid lost password

I don't really have much sympathy for this kind of mistake --- there is feedback in the loop so don't do it again. Generally this kind of dumb mistake occurs when an administrator routinely logs in as root rather than logging in as a regular user and only su's to root when needed and then immediately reverts to a normal user.

Haviing multiple UID 0 accounts is considered very poor practice so I wouldn't go that route. You might consider setting up a sudo'ed command that will let you as a regular user run the passwd command as root.
If it ain't broke, I can fix that.
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎11-01-2007 02:14 AM

‎11-01-2007 02:14 AM

Re: avoid lost password

I don't really have much sympathy for this kind of mistake --- there is feedback in the loop so don't do it again. Generally this kind of dumb mistake occurs when an administrator routinely logs in as root rather than logging in as a regular user and only su's to root when needed and then immediately reverts to a normal user.

Having multiple UID 0 accounts is considered very poor practice so I wouldn't go that route. You might consider setting up a sudo'ed command that will let you as a regular user run the passwd command as root.
If it ain't broke, I can fix that.
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎11-01-2007 02:23 AM

‎11-01-2007 02:23 AM

Re: avoid lost password

I have to agree with A. Clay! The way to avoid it is to not make the mistake in the first place.

This should be VERY easy to avoid. If you are changing passwords for a user, when logged in as root, and forget to put the user-id on the command line, well that is your own fault and no fault of the systems.

Doing 'passwd ' should not be that hard to remember.

Now, that being said, I have sudo set up on ALL my machines (HP-UX and Linux) and ALWAYS use 'sudo su -' to log in as root. I don't even know the root password to my machines. It changes automatically daily. So far I have had no problems with using sudo to login as root.

I also agree that having multiple UID 0 accounts is a very BAD idea. It is considered a high security risk in any system audit.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎11-01-2007 02:25 AM

‎11-01-2007 02:25 AM

Re: avoid lost password

Shalom,

There is no reason to use root to reset user IDs.

The root user account is supposed to be used to administer the system not operate it.

You can use the sam restricted shell and grant password reset power to an operator user and let them use sam to reset the password.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎11-01-2007 02:36 AM

‎11-01-2007 02:36 AM

Re: avoid lost password

>>>There is no reason to use root to reset user IDs.

root is the only id that can reset other users passwords.

>>>The root user account is supposed to be used to administer the system not operate it.

Passwords are part of sys admin, at least in my mind.

>>>You can use the sam restricted shell and grant password reset power to an operator user and let them use sam to reset the password.

This is just doing what it needs to do as root in the background.
0 Kudos
Reply
Ralph Grothe
Honored Contributor

‎11-01-2007 02:54 AM

‎11-01-2007 02:54 AM

Re: avoid lost password

Just to take up Torsten's suggestion,
sudo is really making this easy by avoiding the mess more than one super user accounts are prone to cause, and with the added benefit of logging.

Grab ixSudo from HP's Internet Express
because it is easiest to install.

In the provided sudoers file, which you must edit only via visudo,
there's already rules for a group called wheel
(I think they have adopted this naming from FreeBSD)
If it doesn't already exist create it with groupadd wheel.
Then add any user who occasionally requires root privileges to group wheel (usermod -G wheel ),
and uncomment any of these two (depending if you want your users to authorize by their password or not (for the latter the NOPASSWD stanza would apply)).
Of course you are free to do this with any other group name if you don't fancy wheel.

# grep wheel /opt/iexpress/sudo/etc/sudoers
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
# %wheel ALL=(ALL) NOPASSWD: ALL
Madness, thy name is system administration
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.