HPE Community
Operating System - HP-UX
1826437 Members
3714 Online
109692 Solutions
New Discussion

Re: Root expiration with Trusted system

 
Rpger Tavener
Occasional Advisor

‎10-25-2001 10:24 AM

‎10-25-2001 10:24 AM

Root expiration with Trusted system

Is there any chance of having roots' account disabled in a trusted system? Does "maximum period of inactivity" mean anything for the root account?
When the only tool you own is a hammer, every problem looks like a nail!
0 Kudos
Reply
6 REPLIES 6
Victor BERRIDGE
Honored Contributor

‎10-25-2001 10:41 AM

‎10-25-2001 10:41 AM

Re: Root expiration with Trusted system

Hi,
root account is like any other on a trusted system: if you leave the default settings, after 3 unsuccessfull attempts the account is disabled...
This is the main reason why I use /etc/securetty to force people having to use su to root, and change to 6 the attempts AND give myself the privilege to shutdown the boxes...


All the best

Victor
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎10-25-2001 10:43 AM

‎10-25-2001 10:43 AM

Re: Root expiration with Trusted system

Hi Roger,

There is a plenty of chance for root account to be disabled on trusted system. If there are more than the number of bad attempts set, it will be disabled. And most of the times we find the root account disabled on the trusted systems due to this feature.

You can set the Unsuccessful Login Tries Allowed to a required number and customize the Maximum period of Inactivity too.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Craig Rants
Honored Contributor

‎10-25-2001 11:21 AM

‎10-25-2001 11:21 AM

Re: Root expiration with Trusted system

Roger,
There are many things that can happen to the root account on a trusted system. Look at your rules to see what is set for that account. Also, if the lifetime is expired you may even be forced to change the password. That may cause you to have to edit the /tcb/files/auth/r/root file and remove the encrypted password in the u_pwd line. That can be risky however so only do it if you have to.
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
Roger Baptiste
Honored Contributor

‎10-25-2001 11:35 AM

‎10-25-2001 11:35 AM

Re: Root expiration with Trusted system

Roger,

With respect to security policies, Root is like any other account on the box.
If the "'Maximum period of
inactivity"" is set to
X number of days, it Will
get disabled after that period. Same applies
for maximum number of tries
for incorrect password, password life time.
It's preferable to disable
root access from non-console
terminals through /etc/securetty entry.
I use su/sudo to login as
root and that''s way to go.
It also makes sense to
disable the inactivity option.
You can use SAM for this.

HTH
raj
Take it easy.
0 Kudos
Reply
Michael Tully
Honored Contributor

‎10-25-2001 02:51 PM

‎10-25-2001 02:51 PM

Re: Root expiration with Trusted system

Hi,

The most common cause that I've found on trusted systems as to why the 'root' account has become disabled is that people have attempted to login directly as 'root' and not as their own account and either use 'su -' or 'sudo'
The most frustrating part is that sometimes it is not just the 'root' but DBA's are even more guilty.
I guess the best solution is to increase the
number of unsuccessful attempts or have a big
stick ready for the next person who does it. You may tread upon the toes of auditors by having to increase this, but you may have more satisfaction using the big stick.

-Michael
Anyone for a Mutiny ?
0 Kudos
Reply
Pierce Byrne_1
Frequent Advisor

‎10-26-2001 02:47 AM

‎10-26-2001 02:47 AM

Re: Root expiration with Trusted system

Yes it can get locked, but logging directly via the web console, provided you know the password, will let you unlock it.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.