HPE Community
Operating System - HP-UX
1825805 Members
2354 Online
109687 Solutions
New Discussion

Can't su to root when password is expired!

 
Michel Dijkhuizen
Occasional Advisor

‎02-03-2003 04:41 AM

‎02-03-2003 04:41 AM

Can't su to root when password is expired!

Hello there,

I have a hp9000 server running trusted hp-ux 11.00. I set expiration to the root password and I restricted root to login only from the console (etc/securetty). So, I only can use root doing a su to root from another user. When the root's password is expired and I want to change it I can??t su to root. It replies with "Sorry" when I type the password. Only logging in with root from the console works and i'm able to change the password. The problem is that the servers console is at another location from the support centre. So i nice long ride .....!!!!

Does anyone knows this problem and has the right solution. I want to keep the trusted options as they are!

Best regards,
Mies
0 Kudos
Reply
12 REPLIES 12
harry d brown jr
Honored Contributor

‎02-03-2003 04:46 AM

‎02-03-2003 04:46 AM

Re: Can't su to root when password is expired!


That's just the way it is.

The solution is a WEB Console:

http://www.raritan.com/public/catalog/product.aspx?pid=43

The product was made by Arula (once part of HP) and now owned by Raritan.

live free or die
harry
Live Free or Die
0 Kudos
Reply
Ricardo Bassoi
Regular Advisor

‎02-03-2003 04:49 AM

‎02-03-2003 04:49 AM

Re: Can't su to root when password is expired!


Hi
Try editing the /etc/passwd file. Remove the password field. You can log in to the user login without password. You can assign new password.

Regards,


Ricardo
If you never try, never will work
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎02-03-2003 04:57 AM

‎02-03-2003 04:57 AM

Re: Can't su to root when password is expired!

Ricardo,

Not if the user is "root" and the /etc/passwd file is correctly permission'ed.

live free or die
harry
Live Free or Die
0 Kudos
Reply
Ravi_8
Honored Contributor

‎02-03-2003 05:00 AM

‎02-03-2003 05:00 AM

Re: Can't su to root when password is expired!

Hi Mies

using web console you can achive this
never give up
0 Kudos
Reply
Juan Manuel López
Valued Contributor

‎02-03-2003 08:36 AM

‎02-03-2003 08:36 AM

Re: Can't su to root when password is expired!

on a trusted system the root password is not on password file.
It is on /tcb/files/auth/r/root
Edit this file and delete all the caracters between ':' sign.
Try to loggon again.
I hope this help you.

Do not forget to give us points.

Thanks

Juanma.
I would like to be lie on a beautiful beach spending my life doing nothing, so someboby has to make this job.
0 Kudos
Reply
Martin Johnson
Honored Contributor

‎02-03-2003 09:32 AM

‎02-03-2003 09:32 AM

Re: Can't su to root when password is expired!

This is one of the reasons we set up a pseudo root account (username, password, UID=0). With the pseudo root account we can reset the root password.


HTH
Marty
0 Kudos
Reply
David_246
Trusted Contributor

‎02-03-2003 11:08 PM

‎02-03-2003 11:08 PM

Re: Can't su to root when password is expired!

Hi Mies,

Did you ever try to do "/sbin/passwd root" from your own acount?
Normaly you have to type root's password now and change it. Never tried it, but can't see why it wouldn't work. Or if you set it to disable you have a feature (within SAM) that does not disable your acount per immediatly when expiring.

And yes of course, if you have a remote location you should work with a terminal server or web-console. What if your system is in trouble ? Will you take the plane then ?

Regs David
@yourservice
0 Kudos
Reply
Christian Gebhardt
Honored Contributor

‎02-03-2003 11:28 PM

‎02-03-2003 11:28 PM

Re: Can't su to root when password is expired!

Hi
If you are using ssh (urgently recommended) with public/private key authentication you have access to the machine beside the password.


Chris
0 Kudos
Reply
Michael Tully
Honored Contributor

‎02-04-2003 12:03 AM

‎02-04-2003 12:03 AM

Re: Can't su to root when password is expired!

The simplest solution is to install 'sudo'.

Using

$ sudo su
password:

gives you root access, once the tool is configured properly. There is no need to have an alternative account with uid=0 (dangerous as far as I'm concerned) and you can safely store away 'root' passwords until they need to be changed, without too many people knowing what they are.

You can get 'sudo' from here:

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.6/
Anyone for a Mutiny ?
0 Kudos
Reply
Rajeev Shukla
Honored Contributor

‎02-04-2003 03:15 AM

‎02-04-2003 03:15 AM

Re: Can't su to root when password is expired!

There are 3 options.
One to buy a webconsole.
Second to install third party software like sudo.
The last, best and cheapest is to write a C program that does a setuid to root but before that checks for your uid and allows only you to switch to root. So that way no one can really switch to root other than u or they crack your password.
Let me know if you any more help in writing that setuid program (also the events can be loged in a file).

Cheers
Rajeev
0 Kudos
Reply
Richard Ace_1
Advisor

‎02-04-2003 03:19 AM

‎02-04-2003 03:19 AM

Re: Can't su to root when password is expired!

I had a simular problem with expired accounts as well. I found that I could reset the expiry on the accounts "all accounts" by running

(homer) # /usr/lbin/modprpw -V
System is not trusted.
(homer) #

This was run on a Trusted System running HP-UX 11.0 unlike my test server above that I have just demonstraighted on.

Obviously you must consider your Company Policies.

This allowed me to gain access to the expired account.

As I say it worked for me.

I am not sure this is your requirment but should give access by un-expiring the account.

Cheers

Rich
0 Kudos
Reply
Michel Dijkhuizen
Occasional Advisor

‎02-04-2003 05:38 AM

‎02-04-2003 05:38 AM

Re: Can't su to root when password is expired!

Thanx to all responders,

I will test the following options :

Install en test sudo and write a small C program that does setuid 0.

Special thanx to Michael en Rajeev

See yah.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.