HPE Community
Operating System - HP-UX
1827286 Members
3760 Online
109717 Solutions
New Discussion

Root account disabled ;-(

 
SOLVED
Go to solution
Emanuele_4
Regular Advisor

‎11-11-2003 07:25 PM

‎11-11-2003 07:25 PM

Root account disabled ;-(

Hello everybody!

I've a BIG BIG problem!!

Yesterday I converted my HPUX 11 system to Trusted system.
Everything went fine...I'm testing the policy ecc ecc...but everything is ok.

This morning I inserted the wrong password for root (3 times) and the system told me the root account was disabled. I should ask to the administrator! ;-))))

How can I access the system?!?

Please...this is a very big problem!

Thanks in advance to anybody!

Emanuele
0 Kudos
Reply
11 REPLIES 11
Massimo Bianchi
Honored Contributor

‎11-11-2003 07:29 PM

‎11-11-2003 07:29 PM

Solution

Re: Root account disabled ;-(

HI,
to re-enale root, you must login at the console directly, that is allowed.


Other possibility:

- another account with super user capability to change password

- sudo, have you got it ?

- rlogin, have you got it ?

- ssh, have you got it ?

- reboot in single user and change password...

Massimo
Reply
Francesco Campalastri
Frequent Advisor

‎11-11-2003 07:34 PM

‎11-11-2003 07:34 PM

Re: Root account disabled ;-(

Massimo is right.
I think the only way is reboot in single user mode.

When you go to trust system you have to:

1) Disable password aging immediatly
2) Keep a root session open.

I still do not know why but root user in trusted mode got disable after time.
0 Kudos
Reply
Elmar P. Kolkman
Honored Contributor

‎11-11-2003 07:46 PM

‎11-11-2003 07:46 PM

Re: Root account disabled ;-(

I would go for the other options first, because: how do you reboot the right way without being able to login as root?

What solutions work depends entirely on your system setup.

If you need to reboot, try to shutdown as many applications with the users still working.
Every problem has at least one solution. Only some solutions are harder to find.
0 Kudos
Reply
Emanuele_4
Regular Advisor

‎11-11-2003 07:47 PM

‎11-11-2003 07:47 PM

Re: Root account disabled ;-(

Thank you very much!
The problem has been already resolved.

I run (!!) to CED, I made login from console, changed and rechanged back the pwd, et voila, evrything is fine!

Now, for future, can I ask something about the other possibilities you suggested me?

1) another account with super user capability to change password

You mean users with uid set to 0?
In this case I read it's not suggested to have many uid0 users...
In any case I don't have other superuser users.

2) sudo, have you got it ?

No...how is this possible?
Shouldn't I have this command???

3) rlogin, have you got it ?

Yes, it has been the first choice.
I login from another server, rlogin on the blocked server...but it gave me no access because of "disabled account"...

3) ssh, have you got it ?

No, but you're right...I'm planning to use it asap

4) reboot in single user and change password...

I was terrified...but I was thinking at this choice as the only one useful.
Fortunately...I was forgetting the console choice! ;-)

Thank you for the very quick answer...10 points for you! ;-)
quick and resolutive!
0 Kudos
Reply
Robert-Jan Goossens
Honored Contributor

‎11-11-2003 07:54 PM

‎11-11-2003 07:54 PM

Re: Root account disabled ;-(

Hi Emanuele,

-1- yes another uid 0

-2- sudo
http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.7p5/

-3- ssh
http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA

-3- rlogin in combination with a .rhosts file for one user.

Hope it helps,
Robert-Jan.
0 Kudos
Reply
Elmar P. Kolkman
Honored Contributor

‎11-11-2003 08:01 PM

‎11-11-2003 08:01 PM

Re: Root account disabled ;-(

One other thing: don't login as root, just do su or sudo to that Super account. That way the root account can not be blocked... And in an environment with multiple administrators, it is easier to find out who has done what.
Every problem has at least one solution. Only some solutions are harder to find.
0 Kudos
Reply
Victor BERRIDGE
Honored Contributor

‎11-11-2003 08:45 PM

‎11-11-2003 08:45 PM

Re: Root account disabled ;-(

Hi,
Now you are in trusted, to be sure nobody deactivates the root account else then root by trying to log in add /etc/securetty file with the word console in it and give yourself and to people you trust the right to reboot the system (and more why not) through restricted sam (sam -r)so you can reboot in single user if needed...

All the best
Victor
0 Kudos
Reply
Emanuele_4
Regular Advisor

‎11-11-2003 09:46 PM

‎11-11-2003 09:46 PM

Re: Root account disabled ;-(

Thanks to all.
I'm learning so much due to the forum!

I'm thinking to use /etc/securetty to block access tentative from other users than root.

where can I find docs about the securetty use?

Bye

Emanuele
0 Kudos
Reply
john korterman
Honored Contributor

‎11-11-2003 09:50 PM

‎11-11-2003 09:50 PM

Re: Root account disabled ;-(

Hi,
you can find information about the use of /etc/securetty in the man page for login.

regards,
John K.
it would be nice if you always got a second chance
0 Kudos
Reply
Victor BERRIDGE
Honored Contributor

‎11-12-2003 05:11 AM

‎11-12-2003 05:11 AM

Re: Root account disabled ;-(

securetty is there to stop people loin as root by allowing only connections to what described in the file, so the best is only console, and to do so just create a file called securetty in /etc with just the word console, I change the perms to bin:bin (I put also myself in group bin...) and chmod 440 securetty
Et voila

Good luck

P.S.
Dont forget sam -r...
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎11-12-2003 05:15 AM

‎11-12-2003 05:15 AM

Re: Root account disabled ;-(

when the root account is locked by too many passwords a console login usually unlocks the account.

Also see this command.

$1 is the user name.

echo "Rseetting user ${1}"
/usr/lbin/modprpw -l -k $1

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.