HPE Community
Operating System - HP-UX
1837893 Members
3827 Online
110122 Solutions
New Discussion

single user mode locked

 
SOLVED
Go to solution
Donny Jekels
Respected Contributor

‎01-27-2004 11:33 AM

‎01-27-2004 11:33 AM

single user mode locked

Someone has locked one of the boxes to request a logon at single user mode, while sconverting to trusted system.

Now I can't login to single user mode, not even with the correct root password.

Does anyone know how to change this back.

Note, we cannot convert to untrusted mode, this is a production systyem.

Thank you.
Donny
"Vision, is the art of seeing the invisible"
0 Kudos
Reply
11 REPLIES 11
Patrick Wallek
Honored Contributor

‎01-27-2004 12:19 PM

‎01-27-2004 12:19 PM

Re: single user mode locked

If you can log in as root in multi-user mode, then you can change this via SAM.

0 Kudos
Reply
kamal_9
Super Advisor

‎01-27-2004 12:48 PM

‎01-27-2004 12:48 PM

Re: single user mode locked

HI Donny
Can you able to login to the machine in normal mode .if not in single userboot where it asking for password
0 Kudos
Reply
Donny Jekels
Respected Contributor

‎01-27-2004 12:55 PM

‎01-27-2004 12:55 PM

Re: single user mode locked

i can log in with roots password in multi user mode, no problem.

when it gets to single user mode it ask for a login, which I assume is root, and then a password. no go. and I am using the same password for root as when its in multiuser mode. i tried all sorts of combo's, even without password.

wierd. often wondered who gave the programmer at hp this wonderfull idea to build this feature. :-(
"Vision, is the art of seeing the invisible"
0 Kudos
Reply
Ermin Borovac
Honored Contributor

‎01-27-2004 02:33 PM

‎01-27-2004 02:33 PM

Solution

Re: single user mode locked

To disable password in single-user mode, fire up SAM and go to:

Auditing and Security->System Security Policies->General User Account Policies

Then uncheck the box:

Require Login Upon Boot to Single-User State
Reply
Sridhar Bhaskarla
Honored Contributor

‎01-27-2004 03:54 PM

‎01-27-2004 03:54 PM

Re: single user mode locked

Hi Donny,

Ermin got it. Through command line it is

/usr/lbin/modprdef -m bootpw=NO

-Sri

You may be disappointed if you fail, but you are doomed if you don't try
Reply
Donny Jekels
Respected Contributor

‎01-28-2004 02:27 AM

‎01-28-2004 02:27 AM

Re: single user mode locked

Thank you all.
"Vision, is the art of seeing the invisible"
0 Kudos
Reply
doug hosking
Esteemed Contributor

‎01-29-2004 02:20 AM

‎01-29-2004 02:20 AM

Re: single user mode locked

> wierd. often wondered who gave the
> programmer at hp this wonderfull idea to
> build this feature. :-(

The honest answer is 'repeated requests by several major HP customers.' As mentioned above, it's optional. HP doesn't force anyone to use it.

Imagine you're the sysadmin of university workstations. Would you want every freshman to be able to reboot them and get easy root access, have the ability to plant trojan horse versions of login on the system, change the passwords of the legitimate superusers, ... ?

Imagine your company uses a lot of temporary help, which may include people who have or will work for your competition. Do you want them to have easy root access to steal/corrupt/delete your critical data?

Obviously there are good and bad people everywhere. I'm not trying to stereotype or accuse anyone here. But the reality is that there are plenty of computer users who are less than friendly, and sysadmins need tools to help protect their systems from them. This is one small way to help meet that need. It may or may not be helpful in any given environment, which is why it's optional.

0 Kudos
Reply
Donny Jekels
Respected Contributor

‎01-29-2004 02:44 AM

‎01-29-2004 02:44 AM

Re: single user mode locked

good point.

but why does the regular root password not work when this feature is enabled?
"Vision, is the art of seeing the invisible"
0 Kudos
Reply
doug hosking
Esteemed Contributor

‎01-29-2004 04:14 AM

‎01-29-2004 04:14 AM

Re: single user mode locked

I can only guess re the password. One common problem relating to trusted mode conversions is that people don't understand the way standard mode passwords work.

If you have a password longer than 8 characters, traditional UNIX ignores anything beyond the first 8. If you set your password to abcdef12897, you can login with abcdef12993. The remaining characters are effectively thrown away when the 'encrypted password' is initially saved. Once thrown away, those bytes can never be recovered. This is unfortunately a limitation imposed by the historical format of a UNIX password file.

In trusted mode configurations, longer passwords are supported, and the characters beyond 8 ARE meaningful, but only if the password is changed AFTER the conversion to trusted mode. Until that change, you would need to type only the first 8 characters of the password, not the whole password, to get a match.

Another possibility is if the password in question contained special characters like
@ or #. Historically (in the days of paper-based terminals instead of CRTs) these two characters had special meaning as kill or erase characters. (Today, ^U, ^H or 'delete' are typically used instead.)
If your root password contained one or more of these special characters, it might be getting interpreted differently during boot authentication than it is during normal login. This would depend on specifics of the tty modes in effect at the time you typed the password.

My team at HP owns the code in question. I'd be very interested to know if either of the above explains the situation you encountered. (Obviously I'm not asking you to post your password or significant hints about it here.) HP support folks can reach me if there's info you'd like to share through a more private channel.

0 Kudos
Reply
Donny Jekels
Respected Contributor

‎01-29-2004 04:25 AM

‎01-29-2004 04:25 AM

Re: single user mode locked

Okay,

our password has a few ! and ^ and $ and # signs in and the length is 15 digits.

I will re-enable the switch and test with the first 8 characters only.

will let you know if it works, by tomorrow.
"Vision, is the art of seeing the invisible"
0 Kudos
Reply
donne007
Regular Advisor

‎01-29-2004 05:59 AM

‎01-29-2004 05:59 AM

Re: single user mode locked

The other way around to disable with out untrusting the systenm is is edit the file /tcb/files/auth/r/root
and delete the entries corresponding to
:u_pwd=:\ ---> after deleting

:u_pwd=JEFuc345.7Uiw:\ --> before deleting

Hope this helps ..
Good luck
Asif
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.