HPE Community
Operating System - HP-UX
1825021 Members
3228 Online
109678 Solutions
New Discussion юеВ

Re: Lockout question between two boxes

 
TKeller
Frequent Advisor

тАО09-29-2006 03:21 AM

тАО09-29-2006 03:21 AM

Lockout question between two boxes

Brief rundown: we have two HPUX boxes, one that's production and one that's our disaster recovery box in Las Vegas. Every day, a replication process occurs and migrates daily data from production to disaster recovery.

Problem: since nobody logs into DR often, their accounts have been locked out. Root's own account has been locked out, and so have two other accounts (mine and another sysadm) who have sudo access to fix the problem.

I've been able to use the web console (yeah, it's old enough) but physical access to the box is next to impossible (for me).

I've gotten in on the web console, interrupted the boot sequence, and got in with "hpux -is". Still can't log in as root, even though we have the password. Any ideas?
It is said you should treat your body like a temple. I treat mine like an amusement park.
0 Kudos
8 REPLIES 8
Victor BERRIDGE
Honored Contributor

тАО09-29-2006 03:33 AM

тАО09-29-2006 03:33 AM

Re: Lockout question between two boxes

Hi,
Are you sure you have no active /etc/securetty with strange things in it?
We must know if you system is trusted, what OS / plateform we are talking about (in case of patches etc...)

Are you using NIS or somtheing alike?


All the best
Victor
0 Kudos
Marvin Strong
Honored Contributor

тАО09-29-2006 03:39 AM

тАО09-29-2006 03:39 AM

Re: Lockout question between two boxes

If you got in at single user, did you unlock or reset roots passwd?

from single user since you can get in that way. if your box is trusted (sounds like it)

use modprpw to unlock roots account. I think its modprpw -k root but verify that with the manpage. You can use getprpw to display the account settings.



0 Kudos
TKeller
Frequent Advisor

тАО09-29-2006 03:48 AM

тАО09-29-2006 03:48 AM

Re: Lockout question between two boxes

The DR box doesn't have any trusted accounts, whether it means rhosts, ssh's known_hosts, etc. Even though I got to break the bootmode and go into what I thought was single-user mode, it still prompted me for a username and password. What might I be missing? Thanks!
It is said you should treat your body like a temple. I treat mine like an amusement park.
0 Kudos
Victor BERRIDGE
Honored Contributor

тАО09-29-2006 04:38 AM

тАО09-29-2006 04:38 AM

Re: Lockout question between two boxes

Hi again,

Is your production box trusted then? For what I see, there is no reason on a box to have accounts getting disabled if no one has put a policy in place...But as you mentionned there is a replication every day...
A way to know where you are is if as a user you can connect yourself, what do you see in /etc/passwd ?
something like which of thes 3 lines:
hgr:x:204:150:,,,:/home/hgr:/usr/bin/ksh
bonos:*:2013:20:,,7602,:/users/bonos:/usr/bin/sh
fpo:Csk7LxCVXISQ6:203:20:,,,:/home/fpo:/usr/bin/ksh

Victor
P.S.
Have you ever thought the passwd file can get corrupted?
0 Kudos
Yang Qin_1
Honored Contributor

тАО09-29-2006 04:47 AM

тАО09-29-2006 04:47 AM

Re: Lockout question between two boxes

Did you try to boot the server to maintenance mode with hpux -lm and then mount the lvols you may need to change root password?

Regards,
Yang
0 Kudos
TKeller
Frequent Advisor

тАО09-29-2006 04:49 AM

тАО09-29-2006 04:49 AM

Re: Lockout question between two boxes

Hi again,

The replication we do is a cronjob and up until about 2 months ago, I had been logging in regularly. The same production box sends out all the information for users to a number of other boxes, all of which are able to be logged into. Just this one is not used by us much, there's never been a reason to log in daily, and now we're definitely suffering the consequences. I'm going to experiment with the single-user mode and see if there's anything I missed. I'll report back here as soon as possible. Thanks again all!
It is said you should treat your body like a temple. I treat mine like an amusement park.
0 Kudos
Bill Hassell
Honored Contributor

тАО09-29-2006 04:57 AM

тАО09-29-2006 04:57 AM

Re: Lockout question between two boxes

There is a feature in /etc/default/security that will require the root password for single user mode. Since it is a replicatin server, I am assuming that the 2 boxes are the same. Look at this file to see if the single usermode requires a password -- then reevaluate the security needs versus risk.

AS far as lockout, there are two password lifetime values and one can lock out an account after non-usage. Make sure that value is set high enough (8 months?). After all, you'll be patching every 6 months so that will refresh the login. You can use modprpw to refresh all the passwords (ie, make the time since last activity = zero) with a single command:

/usr/lbin/modprpw -V

Putting that in cron for a once a month run should fix the problem.


Bill Hassell, sysadmin
0 Kudos
TKeller
Frequent Advisor

тАО10-02-2006 06:15 AM

тАО10-02-2006 06:15 AM

Re: Lockout question between two boxes

We were able to get in with one person's account who had sudo access to unlock my account and then I got everyone else. The modprpw definitely proved to be helpful! Thanks all!
It is said you should treat your body like a temple. I treat mine like an amusement park.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.