How to shutdown HP-UX 10.20 without root's priviledge?

Rashid Ali · ‎02-15-2001

Any body knows how can I shutdown HP-UX 10.20 without root's priviledge. Because I encountered a problem that root's account was diabled and nobody has the right to reboot the system.

Thanks in advance for any input.

Denver Osborn · ‎02-15-2001

You can vi /etc/shutdown.allow and add the following entry:
hostname username

The permissions of /etc/shutdown.allow should be 644 bin:bin. The user from the specified host will be allowed to execute shutdown.
If you add an entry to the file don't forget to make root from this host one of them.

Hope this helps!
-denver

Russell Davy · ‎02-15-2001

Although this query was answered above, I would like to ask if this is a VVOS system? if the root access is disabled, log in as the security officer and vi /tcb/files/auth/r/root and put an @ next to u_lock, this removes the user lock.

Nice little hack...
MND

Satish Y · ‎02-15-2001

Hi,

Both the above solutions needs root privileges i.e., for modifying /etc/shutdown.allow and /tcb/files/auth/r/root. But you are saying that root's account has got disabled.

Only two solutions I can suggest:

1) If any other user have privileges to shutdown you can do it from that user.

2) Otherwise hard boot it, bring it into single user mode, enable the root account and then reboot the machine. But hard boot is not a safer one.

3) Boot it from CD.

Cheers....
Satish.

Difference between good and the best is only a little effort

Russell James Davy · ‎02-15-2001

Right on that one IF the system is simply trusted/untrusted HP-UX box, I agree with the support CDROM idea.

Just a quickie though, I locked myself out of my VVOS as root, and unlocked the account by doing the edit on the root file in /tcb/files/auth/r logged in as the security officer account... bug or feature?
Saved me a rebuild.
MND

Steven Sim Kok Leong · ‎02-15-2001

Hi,

If your "account is disabled" due to either too many incorrect attempts or password expiry, root login remotely is not allowed but root login at the console will still be allowed. Once login'ed, reactivate your root account using sam.

If you have "forgotten your root password", try to do a cold-reboot ie. power on-off. Press any key to continue when you see this message. Specify at the boot prompt:

> boot pri isl
isl> hpux -is

This will bring you to single-user mode. Depending on your setup, you may or may not be prompted for a login password.

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com

Rashid Ali · ‎02-16-2001

Thank you very much for useful advices.
Eventually I did a hard boot (which means I have to fsck most of the file systems and fortunately there is no major corruption), and somehow can login into single user mode without password prompt.

My system is a trusted system which I just implemented a few days ago. I am just curious what will happen and what can I do if booting into single-mode requires root's password.

Another thing is I tested locking one user "kslwlk" and found out the changes it has made as below, because I dare not to purposely disable root's id.
# diff /tcb/files/auth/k/kslwlk /tmp/kslwlk.locked
6c6,7
< :u_unsuclog#982313126:u_unsuctty=pts/0:u_lock@:chkent:
---
> :u_unsuclog#982313126:u_unsuctty=pts/0:u_numunsuclog#6:u_lock@:> :chkent

it looks like the actual difference is "u_numunsuclog#6:". Anybody knows how to interpret it?

The last question I want to ask is whether there is really such a feature that even if someone
purposely attempt to login as root, the sytem disable root's id only for remote login, but still allow login as root from the console. How can I do that? If not, this may not be called a feature of Trusted system especially when it happens on root. It should be called a bug.

Russell provides an idea which grants write access to /tcb/files/auth/r/root for a special account "security officer". That is also a good idea. But what will happen if this id was also disabled?

Steven Sim Kok Leong · ‎02-16-2001

Hi,

"u_numunsuclog#6:" indicates that the number of unsuccessful attempts to login due to incorrect password is 6.

There is indeed such a feature that even if someone purposely attempt to login as root, the system disable root's id only for remote login, but still allow login as root from the console.

This is not a bug. You will still be prompted for the password regardless of whether your root account is disabled or not.

The purpose of disabling the root account is to prevent further guessing of the root password. It is most unlikely for someone to attempt password-guessing at the console without being physically caught in comparison with someone attempting from remote.

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com

Victor BERRIDGE · ‎02-16-2001

Hi,
Since your system is trusted, as mentionned above disabled root account still lets you connect at the console IF you know the correct passwd (that means no one changed it...).
I would suggest as now you have unblocked your situation, that you use SAM, and define some users that can shutdown your machine, I have 3 accounts that can shutdown the machine...
Go to users, select a user, then in Action menu, choose modify security policies / general user Account policies/ Authorize use to boot single-user state:yes

Good luck
Victor

Rashid Ali · ‎02-16-2001

Regarding Steven's comments, may I know how I can set this feature? My machine is a 715 workstation. I logined from the Graphic console and just locked the screen and went home. Next day I found I can not unlock the screen and it says root's account was disabled. I tried to login from remote machine and also got the same error message.

I got another question, how can I disable login as root from the remote( but can su to root) and only allow login as root from the console?

Rashid Ali · ‎02-19-2001

Anybody knows what else may also cause the system to disable root's account besides too many failed attempts to login as root? Because I have already set the number of unsuccessful login tries allowed to 20 and I still got the root's account disabled, why?

Steven Sim Kok Leong · ‎02-19-2001

Hi,

Other than incorrect attempts at the root password, the other possibilities include password expiration. Check your password policy via SAM that you do not have any of the restrictions set exceeded.

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com

Steven Sim Kok Leong · ‎02-19-2001

Hi,

After you login at the console of the graphic workstation that has your root account disabled, did you _re-activate_ your account using SAM?

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com

Rashid Ali · ‎02-19-2001

My workstation is using CDE on system console, is that the reason why I can't login from the
console when the root's account is disabled?
How can I do in this case?

Steven Sim Kok Leong · ‎02-19-2001

Hi,

With CDE, click on "Options" and select the "Command-line login" (I cannot recall the exact words off-hand). This will bring you to the text console mode at the graphical console.

Once login, run SAM, reactivate your account, logout, wait for CDE to come back up, subsequently logins should be fine.

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com

Rashid Ali · ‎02-19-2001

But by the time when the root's account was disabled, you are already inside CDE. And once the root's account is disabled you can nolonger select any options. Maybe it is because I usually locked the screen on the graphic console running CDE after I logined as root , and after that I got account disabled when I tried to login next time.

Does it make any difference between these two scenarios that cause root's account disabled in that particular file /tcb/files/auth/r/root? How can I reactivate the account if I have another root's session on remote machine? I run /usr/lbin/modprpw -k root and it doesn't work in case when the root's account was disabled because of expired root's password.

Rashid Ali · ‎02-19-2001

Very strange! I found that my root's account was only disabled on the system console with CDE and I can login from any remote PC as root!
How to fix this in this case? In SAM I can't see any signs that root's account has been disabled and that's why I don't know how to reactivate it.

Steven Sim Kok Leong · ‎02-19-2001

Hi,

What software are you using to remote login to your server? Is it just telnet or ssh?

Note that there has been known problems of older versions of ssh not integrating HP-UX's TCB properly resulting in passwords that never expire from a ssh remote login but once expires when using telnet remote login or console login.

Are you able to login remotely now?

If you are already lockscreen'ed, then you have no choice but to cold-reboot the workstation.

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com

Rashid Ali · ‎02-19-2001

I can login from REMOTE as root but still cannot login from the console. Is there any way to fix this problem?

Steven Sim Kok Leong · ‎02-19-2001

Hi,

I suppose there is not the slightest chance that the CAPLOCK key was activated? In addition, I do not suppose you also have included some special keyboard characters in your password?

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com

Denver Osborn · ‎02-19-2001

If the access from just the console was locked out due to too many failed attempts unlock it with the following command.

# /usr/lbin/modprterm -m locktrm=NO /dev/console

To verify if it is locked or not use this command.
# /usr/lbin/getprterm -r -m locktrm /dev/console

I'm going off of memory here and unable to test for myself at the moment, but I think the options are right.

Another thing to look for would be the /etc/securetty file if this file exists but DOES NOT contain /dev/console, root will not be allowed to login directly from the console. If you want root to only login from the console you could create /etc/securetty with a single line reading /dev/console. I'd give it permissions of 444.

Hope this helps!
-denver

Denver Osborn · ‎02-19-2001

One other thing...

If you look in /tcb/files/ttys there will be an entry for console. If it is locked then I think it whould contain a 't_lock@:' entry. The modprterm syntax above should change that to 't_lock:'

Rashid Ali · ‎02-19-2001

I run "/usr/lbin/getprterm -r -m locktrm /dev/console " and it returns "NO"
The file /etc/securetty does not exist.
grep -i lock /tcb/files/ttys returns nothing.
Maybe I need to reboot the system.
Anybody got any idea?

Rashid Ali · ‎02-20-2001

Can you imagine now I can log on from the console as root just immediately after I reboot the system? It sounds so strange, anybody knows how can the system behave like that?

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

How to shutdown HP-UX 10.20 without root's priviledge?

How to shutdown HP-UX 10.20 without root's priviledge?

Re: How to shutdown HP-UX 10.20 without root's priviledge?

Re: How to shutdown HP-UX 10.20 without root's priviledge?

Re: How to shutdown HP-UX 10.20 without root's priviledge?

Re: How to shutdown HP-UX 10.20 without root's priviledge?

Re: How to shutdown HP-UX 10.20 without root's priviledge?

Re: How to shutdown HP-UX 10.20 without root's priviledge?

Re: How to shutdown HP-UX 10.20 without root's priviledge?

Re: How to shutdown HP-UX 10.20 without root's priviledge?

Re: How to shutdown HP-UX 10.20 without root's priviledge?

Re: How to shutdown HP-UX 10.20 without root's priviledge?

Re: How to shutdown HP-UX 10.20 without root's priviledge?

Re: How to shutdown HP-UX 10.20 without root's priviledge?

Re: How to shutdown HP-UX 10.20 without root's priviledge?

Re: How to shutdown HP-UX 10.20 without root's priviledge?

Re: How to shutdown HP-UX 10.20 without root's priviledge?

Re: How to shutdown HP-UX 10.20 without root's priviledge?

Re: How to shutdown HP-UX 10.20 without root's priviledge?

Re: How to shutdown HP-UX 10.20 without root's priviledge?

Re: How to shutdown HP-UX 10.20 without root's priviledge?

Re: How to shutdown HP-UX 10.20 without root's priviledge?

Re: How to shutdown HP-UX 10.20 without root's priviledge?

Re: How to shutdown HP-UX 10.20 without root's priviledge?

Re: How to shutdown HP-UX 10.20 without root's priviledge?