HPE Community
Operating System - HP-UX
1837090 Members
2635 Online
110112 Solutions
New Discussion

Re: Security on changing the Root Password

 
Hill_1
Frequent Contributor

‎08-15-2001 01:47 AM

‎08-15-2001 01:47 AM

Security on changing the Root Password

Hi people,
As I know, if root forgets password he could boot to PDC/BootROM and interact with ISL and boot the kernel with the command:
hpux -is
and this will bring the login person into the S level without prompting password.

In this case, is there any security to avoid other people to login using the above method?
I'm doubtful about the security of the system as people other than root can still login as root without giving the root password.

Any idea on this?
Thanks.
Unix
0 Kudos
Reply
8 REPLIES 8
Rainer von Bongartz
Honored Contributor

‎08-15-2001 02:01 AM

‎08-15-2001 02:01 AM

Re: Security on changing the Root Password

Best practice has always been to make your servers inaccessible to 'normal people'

Whoever can reach the power button of your box will be able to do everything to your server.!!!!!
He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...
0 Kudos
Reply
Praveen Bezawada
Respected Contributor

‎08-15-2001 02:02 AM

‎08-15-2001 02:02 AM

Re: Security on changing the Root Password

Hi
Can far as I know the only security available to prevent someone from entering the single user mode is to prevent others from having physical access to the machine and the console.

...BPK...
0 Kudos
Reply
Thierry Poels_1
Honored Contributor

‎08-15-2001 02:04 AM

‎08-15-2001 02:04 AM

Re: Security on changing the Root Password

Hi,
how about putting the server in a secure room??
If you are not able to boot into single user mode there will be no way to recover a lost root password.
regards,
Thierry.
All unix flavours are exactly the same . . . . . . . . . . for end users anyway.
0 Kudos
Reply
Thierry Poels_1
Honored Contributor

‎08-15-2001 02:07 AM

‎08-15-2001 02:07 AM

Re: Security on changing the Root Password

LOL, three similar replies within 3 minutes, take that for an answer ;))
All unix flavours are exactly the same . . . . . . . . . . for end users anyway.
0 Kudos
Reply
Printaporn_1
Esteemed Contributor

‎08-15-2001 02:11 AM

‎08-15-2001 02:11 AM

Re: Security on changing the Root Password

I can recall that (don't so sure) somewhere in boot admin can do ,but it is not good idea because it is very very trouble if no body can login , may be only way to get access to the system again is re-install OS.
enjoy any little thing in my life
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎08-15-2001 03:56 AM

‎08-15-2001 03:56 AM

Re: Security on changing the Root Password

As mentioned, physical access to the console or to the computer's power cord means there is no security at all. However, there are a couple of things you can do.

Converting to Trusted adds a feature that requires a password in single user mode. That's probably the best solution when physical security is not controllable. And for workstations, there is a processor ROM security code that prevents interrupting the boot process unless you supply the right password. But as mentioned, if you forget the password, you'll have to go through some complex steps to turn off the ROM password.


Bill Hassell, sysadmin
0 Kudos
Reply
David Lieberman_1
Frequent Advisor

‎08-15-2001 02:26 PM

‎08-15-2001 02:26 PM

Re: Security on changing the Root Password

June,

Not only do you have to configure the server for "trusted" mode, you also must set the flag to require root to enter a password to enter mode S from a boot. This flag is set in SAM (trusted) in:

Auditing and Security
System Security Policies
General User Account Policies
[]Require Login Upon Boot To Single-User State

- David
0 Kudos
Reply
Sundar_7
Honored Contributor

‎08-16-2001 01:00 AM

‎08-16-2001 01:00 AM

Re: Security on changing the Root Password

Hey man

First of all U got to convert the System
to trusted mode.. otherwise this is never going to be possible..

Once it is trusted also..it is not going to ask for the password while entering single user mode..

U got to enable it.

U can do it through sam as mentioned above.

But at the end it is going to change the

things here in

/tcb/files/auth/defaults

Check it out

Sundar

Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.