HPE Community
Operating System - HP-UX
1820733 Members
3211 Online
109627 Solutions
New Discussion юеВ

root password has been disable...

 
SOLVED
Go to solution
hpuxhelp
Regular Advisor

тАО01-23-2003 04:13 PM

тАО01-23-2003 04:13 PM

root password has been disable...

how do I reactivate the root account, when it is disabled due to too many fail attemp
0 Kudos
Reply
7 REPLIES 7
Jeff Schussele
Honored Contributor

тАО01-23-2003 04:18 PM

тАО01-23-2003 04:18 PM

Re: root password has been disable...

Hi,

This one is always a pain in the arse.
The easiest way is to login on a console attached to the console port. root logins are not disabled thru that port only.
If that's not an option then you have to hope that someone, somewhere has a root session open that you can access.
Then run
modprpw -k root
to re-enable the root account.
If neither of the preceeding 2 options work for you, then the only other choice is to boot to single-user mode & run that command from there.

HTH,
Jeff

PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
hpuxhelp
Regular Advisor

тАО01-23-2003 04:26 PM

тАО01-23-2003 04:26 PM

Re: root password has been disable...

can one create root account, even after many fail attempt, root cannot be disable
0 Kudos
Reply
Jeff Schussele
Honored Contributor

тАО01-23-2003 04:34 PM

тАО01-23-2003 04:34 PM

Solution

Re: root password has been disable...

Sure, here's how using SAM.

SAM -> Users & Groups -> Users -> highlight root -> Actions -> Modify Security Policies -> General User Account Policies

Set "Unsuccessful login tries allowed" to 0 (zero) this will effectively set no limit.

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Reply
Jeff Schussele
Honored Contributor

тАО01-23-2003 04:42 PM

тАО01-23-2003 04:42 PM

Re: root password has been disable...

And here's how to do it from the command line

modprpw -lm umaxlntr=0

Note that's a lower case l (ell) not the digit one.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Reply
avsrini
Trusted Contributor

тАО01-23-2003 04:54 PM

тАО01-23-2003 04:54 PM

Re: root password has been disable...

Hi,

For security reasons, the root account lockout after unsucessful login attemts has to be enabled. If you disable this feature, you will not come to know if anybody tries to login to root or if anybody tring to hack ur system. So better option is to keep ur root account's policy as default. You can increase the no. of attempts but I advice not to disable this feature.

Srini.
Be on top.
0 Kudos
Reply
Jeff Schussele
Honored Contributor

тАО01-23-2003 05:14 PM

тАО01-23-2003 05:14 PM

Re: root password has been disable...

Hi Srini,

I'm not so sure I agree with you on that.
Let's say you set the attempts to 20 & you get a brute-force attack that tries 20 times & locks root. You get paged but CANNOT login OR su remotely. You've now pretty much lost hope of determining who/where these are comming from by...say...turning up logging level of inetd.

What you should do first & foremost is devise hardened, uncrackable root PWs & guard them with your life. Then setup /etc/securetty so that root can only directly login from the console. Then you can set up a cron job to watch the logs for su attempts & page you on a certain # of attempts over a certain time period, but NOT stop them cold. They have to be active to find them easily or you're stuck pouring over router/firewall logs. Plus you'll know from whose account the su attempts are coming.

There are many other things one can do of course, but I don't think limiting login attempts for root is in the top 10.

My 2 cents,
Jeff (Who bets this thread will get bunches of response)
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Michael Tully
Honored Contributor

тАО01-23-2003 05:30 PM

тАО01-23-2003 05:30 PM

Re: root password has been disable...

Your right Jeff, more responses.

The first thing I would be doing is making sure that the 'root' account is handled delicately. Implement 'sudo' and then you don't need to use the 'root' account at all.

The 'root' account should only need to be accessed from the console, and in reality only if some heavy maintenance needs to be done. Anything requiring 'root' access can be done using 'sudo'. As far as disabling the account is concerned, I wouldn't be changing the unsuccessful attempts, just make sure that they are monitored. Here is a simple bt effective method, that can be used in cron for example and then you could e-mail it to yourself.

# cat /var/adm/sulog | awk '$4 == "-" {print $0}' | grep 'root$'


You can 'sudo' from here, it is definitely worthwhile. http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.6/
Anyone for a Mutiny ?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.