HPE Community
Operating System - HP-UX
1832696 Members
2942 Online
110043 Solutions
New Discussion

password for single user mode

 
manny_6
Occasional Contributor

‎01-08-2004 07:18 PM

‎01-08-2004 07:18 PM

password for single user mode

I have a D class server which I can boot to single user mode without entering the root password can this be made to request the password ?

thanks
manny.
0 Kudos
Reply
9 REPLIES 9
Michael Tully
Honored Contributor

‎01-08-2004 07:21 PM

‎01-08-2004 07:21 PM

Re: password for single user mode

If you set up your system as 'trusted' this can be achieved. There is an additional item which must be done and that is have the flag checked for password required in single user mode. The easiest way this is done is from using sam. Be aware of the consequences of trusting your system. Applications may have problems, as well as all passwords will expire immediately including the root account.
Anyone for a Mutiny ?
0 Kudos
Reply
Elmar P. Kolkman
Honored Contributor

‎01-08-2004 07:54 PM

‎01-08-2004 07:54 PM

Re: password for single user mode

And mind the characters used in the root password. Some characters can give you problems because of the default stty settings, like hashes ('#'). Only use alphanumeric (upper- and lowercase characters, combined with numbers) and perhaps simple characters like spaces should work.
Every problem has at least one solution. Only some solutions are harder to find.
0 Kudos
Reply
MarkSyder
Honored Contributor

‎01-08-2004 08:08 PM

‎01-08-2004 08:08 PM

Re: password for single user mode

Hi Manny,

Another point to bear in mind.

When I started my current job we had a server with a newly changed password, but no one knew what it was. The only way to rectify this was to boot the server in single-user mode so I could set the password.

I would advise against forcing the use of a password to enter single-user mode.

Mark Syder (like the drink but spelt different)
The triumph of evil requires only that good men do nothing
0 Kudos
Reply
John Carr_2
Honored Contributor

‎01-08-2004 08:11 PM

‎01-08-2004 08:11 PM

Re: password for single user mode

If the server is located in a secure area ie data cetre then there is little benefit to doing this. If the system is physically accessable to general users then it may well be.

John.
0 Kudos
Reply
Todd McDaniel_1
Honored Contributor

‎01-09-2004 02:05 AM

‎01-09-2004 02:05 AM

Re: password for single user mode

I agree with Mark S. DO NOT require password at single if you can help it. I would suggest restricting those who know the root password and change it often, every month or 2 and make sure only those who NEED it have it.

As Mark says, you will be stuck if the password ever gets changed and you cant login via single and change it...

In that case it would require rebooting to an ignite recovery tape, very messy.
Unix, the other white meat.
0 Kudos
Reply
Alan Turner
Regular Advisor

‎01-09-2004 08:54 AM

‎01-09-2004 08:54 AM

Re: password for single user mode

Set the system to trusted mode, then use SAM to set up the general user account policies to require a password for boot to single user mode.
I've not noticed everyone's password expiring on switchig to trusted mode, but one gotcha is if anyone's untrusted password is longer than 8 chars, it won't work on the trusted system (something about untrusted ignoring the chars > 8, but trusted mode not ignoring them).
By default, root and no-one else can boot to single user mode.
I'd advise creating an extra user, with the shell set to /usr/bin/false, which you then change to also to be able to boot the system to single user mode. Edit the account for this user so max tries = custom (set to 99). This lets the extra user log in for single user mode, but not normally.
Also consider setting the root account to 99 tries before account is locked.
Sorry I can't give actual SAM menu options -I'm at home.

By the way, allocating points to replies would be a nice way of acknowledging your colleagues attempts to help.
0 Kudos
Reply
Suresh Patoria
Super Advisor

‎01-09-2004 06:21 PM

‎01-09-2004 06:21 PM

Re: password for single user mode

Hi ,

you have to convert OS convert to trusted mode

Thanx
0 Kudos
Reply
Dietmar Konermann
Honored Contributor

‎01-11-2004 08:33 PM

‎01-11-2004 08:33 PM

Re: password for single user mode

Manny,

for 11.11 there is a new free enhancement that allows securing the single user runlevel without converting to trusted mode.

BOOTAUTH11i

Boot Authenticator for Standard Mode of HP-UX

A site's security policies may require users to authenticate before they can boot the system into single-user mode. Previously, this feature was only available on a system that had been converted to Trusted Mode. This product now provides such a secure single-user mode with root password protection, but without the overhead of converting the system to trusted mode.

It's downloadable from software.hp.com. BTW, I agree with the other comments above... usually it doen't make sense to protest the single user mode with a password.

Best regards...
Dietmar.
"Logic is the beginning of wisdom; not the end." -- Spock (Star Trek VI: The Undiscovered Country)
0 Kudos
Reply
Saurav_1
Valued Contributor

‎01-11-2004 10:27 PM

‎01-11-2004 10:27 PM

Re: password for single user mode

The best solutions have been given. Hope your problem is solved. Pls assign points accordingly.

Saurav
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.