HPE Community
Operating System - HP-UX
1833131 Members
3350 Online
110051 Solutions
New Discussion

sulogin

 
SOLVED
Go to solution
Marvyn Torres
Occasional Advisor

‎05-30-2002 02:12 AM

‎05-30-2002 02:12 AM

sulogin

Is there/and where is the sulogin file located in a HP Unix system??

Can it be used to prompt for a password when entering the system maintenance or single user mode??
Newbie over here!
0 Kudos
Reply
8 REPLIES 8
Stefan Farrelly
Honored Contributor

‎05-30-2002 02:16 AM

‎05-30-2002 02:16 AM

Re: sulogin


/var/adm/sulog

and no, you cant prompt for a password if someone boots in lvm maintenance mode or single user mode. Dont leave the key in service mode on the server and then nobody can boot in single user mode or maintenance mode without the key!

Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
Steve Steel
Honored Contributor

‎05-30-2002 02:18 AM

‎05-30-2002 02:18 AM

Re: sulogin

Hi

trusted would be best solution.

convert to a trusted system :
Within SAM you can set up the system security policies so that a
login is required when booting the system to single user.
This can be enabled as follows:
SAM --> Auditing and Security --> System security Policies -->
General User Account Policies : enable "Require login upon boot
to single user state"
The root account by default will have authority to boot the
system to single user.
You can then authorise a particular user to boot to single user
SAM --> Accounts For Users and Groups --> select the user --->
Modify Users Security Policy --> General User Account Policies
and enable " Authorize user to Boot to single-User state" .

The "Boot authentication prompt " is displayed if the "Require
login Upon Boot to single user state" is enabled and the system
is booted to single user.


steve Steel
If you want truly to understand something, try to change it. (Kurt Lewin)
0 Kudos
Reply
Marvyn Torres
Occasional Advisor

‎05-30-2002 02:58 AM

‎05-30-2002 02:58 AM

Re: sulogin

Steve,

Clarification please.

Does your solution mean that the root account will also be prompted for a password when entering single user mode??
Newbie over here!
0 Kudos
Reply
Peter Kloetgen
Esteemed Contributor

‎05-30-2002 03:10 AM

‎05-30-2002 03:10 AM

Solution

Re: sulogin

Hi Marvin,

first of all to say: As all the others allready said, change to a trusted system!

To give the answer to your question: YES, then even root is prompted for a password when booting into single user mode. Only possibility to get into the system then is to use installation CD- ROM and remount the file systems to get in write- mode and then remove root password from tcb- directory.

Please don't forget also to secure your web console. (If you have a computer which has one...) Go into service processor mode and enter HE or LI at prompt to find information which commands you need to activate.


Allways stay on the bright side of life!

Peter
I'm learning here as well as helping
Reply
Steve Steel
Honored Contributor

‎05-30-2002 03:12 AM

‎05-30-2002 03:12 AM

Re: sulogin

Hi


peter got it in one.

If you want security then apply it by making the system trusted.


steve Steel
If you want truly to understand something, try to change it. (Kurt Lewin)
Reply
Marvyn Torres
Occasional Advisor

‎05-30-2002 04:58 PM

‎05-30-2002 04:58 PM

Re: sulogin

How do you go about checking (discreetly - so as not to appear stupid among peers -hehe)if a system is trusted??
Newbie over here!
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎05-30-2002 05:27 PM

‎05-30-2002 05:27 PM

Re: sulogin

Hi Marvyn:

A trusted system will have a protected password file: '/tcb/files/auth/'.

A trusted system (most visibly) displays the message "last successful/unsuccessful login..." upon user logon. This is a dead-give-away of a trusted server.

Regards!

...JRF...
Reply
Steven Sim Kok Leong
Honored Contributor

‎05-30-2002 05:33 PM

‎05-30-2002 05:33 PM

Re: sulogin

Hi,

1) This is the direct approach (definitive and quickest):

# /etc/tsconvert
System has already been converted.

If your system has already been converted, tsconvert will show the status by printing the message stating that your system has already been converted.

Other methods include:

2) Not surest method but one of the quickest methods:

# ll -d /tcb

Check for /tcb existence. /tcb is created upon conversion.

3) One definitive way (one long method):

The definitive way (this is just one way) is to check it from SAM:

SAM
-> Audit and Security
-> Audited Events

If your system is not trusted, you will see a popup dialog saying that your system is not trusted, and ask you whether you wish to convert it to trusted.

Once trusted, under "Actions",
you will notice the option to: "Unconvert the system"

Hope this helps. Regards.

Steven Sim Kok Leong
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.