You create the golden image presumably via some NIM-procedure. My suggestion is to have a post-install customization script which sets the root password to blank and raises the ADMCHG flag so that the next root logging on is required to set the PW.
It being weekend I have no AIX system at hand to test it, but that should work:
See the man page for the chpasswd command for details.
On another thought you may want to include such a post-install step into the regular NIM-setup of new systems so that - regardless of what golden image was delivered - the root password is always set to a constant value which you can tell the administrators. In regular intervals (like once a year, ...) you just change this post-install-script so that ALL newly iinstalled systems are set to this new password initially.
Hello,
I just finished adding a bunch of new users to the linux servers I administer. I add users either via command line or via linuxconf, but I can't seem to find out how to force users to change their passwords on their first login to the system.
Anyone know how to do that? My HP-UX... (1 Reply)
Hi,
I notice in my Sun Solaris 8 sparc worstation, I am able to change my password to same existing password.
That is, right now my password is abc, and I change it with "passwd" command and change it abc again. It will accept.
How can I make it such that it will not accept same password?... (3 Replies)
We have quite a few threads about this subject. I have collected some of them and arranged them by the OS which is primarily discussed in the thread. That is because the exact procedure depends on the OS involved. What's more, since you often need to interact with the boot process, the... (0 Replies)
Hi, yesterday, I changed root's shell in /etc/passwd, cause a mistake then I can not log in root account (can't find correct shell). I attempted to log in single-mode, however, it prompted for single-mode's password then I type root's password but still can not log in.
I'm using AIX 5L version 5.2... (2 Replies)
hi
How can I force user to change of password by modifying the password expiry and the grace period so that the
user has at least 1 week to login and change the password...... (3 Replies)
hi
by modifying /etc/shadow
how can I Force a change of password so that user has at least 1 week to login?
I did it by using:
echo "enter username to force password change"
read user;
chage -M 7 $user;
How can I do it by modifying /etc/shadow?? (6 Replies)
Hello All,
How to force user to change his login passwd on his first login in solaris 10 ?
while adding user do we need to set the password in theis case?? (7 Replies)
Hi all,
Im having trouble setting up an FTP server and forcing SSL. At the moment i can connect to the server externally using normal FTP but when i try FTP with SSL i get
STATUS:> Connected. Exchanging encryption keys...
ERROR:> SSL: Error in negotiating... (5 Replies)
i do not have root on a solairs 10 server , however i do have the root role, i was wondering if I can change the root password as a a role with the passwd command? I have not tried yet.
and do i have to use the # chgkey -p afterwards?
i need to patch is why i am asking.
thanks (1 Reply)
Discussion started by: goya
1 Replies
LEARN ABOUT LINUX
sudo_root
sudo_root(8) System Manager's Manual sudo_root(8)NAME
sudo_root - How to run administrative commands
SYNOPSIS
sudo command
sudo -i
INTRODUCTION
By default, the password for the user "root" (the system administrator) is locked. This means you cannot login as root or use su. Instead,
the installer will set up sudo to allow the user that is created during install to run all administrative commands.
This means that in the terminal you can use sudo for commands that require root privileges. All programs in the menu will use a graphical
sudo to prompt for a password. When sudo asks for a password, it needs your password, this means that a root password is not needed.
To run a command which requires root privileges in a terminal, simply prepend sudo in front of it. To get an interactive root shell, use
sudo -i.
ALLOWING OTHER USERS TO RUN SUDO
By default, only the user who installed the system is permitted to run sudo. To add more administrators, i. e. users who can run sudo, you
have to add these users to the group 'admin' by doing one of the following steps:
* In a shell, do
sudo adduser username admin
* Use the graphical "Users & Groups" program in the "System settings" menu to add the new user to the admin group.
BENEFITS OF USING SUDO
The benefits of leaving root disabled by default include the following:
* Users do not have to remember an extra password, which they are likely to forget.
* The installer is able to ask fewer questions.
* It avoids the "I can do anything" interactive login by default - you will be prompted for a password before major changes can happen,
which should make you think about the consequences of what you are doing.
* Sudo adds a log entry of the command(s) run (in /var/log/auth.log).
* Every attacker trying to brute-force their way into your box will know it has an account named root and will try that first. What they do
not know is what the usernames of your other users are.
* Allows easy transfer for admin rights, in a short term or long term period, by adding and removing users from the admin group, while not
compromising the root account.
* sudo can be set up with a much more fine-grained security policy.
* On systems with more than one administrator using sudo avoids sharing a password amongst them.
DOWNSIDES OF USING SUDO
Although for desktops the benefits of using sudo are great, there are possible issues which need to be noted:
* Redirecting the output of commands run with sudo can be confusing at first. For instance consider
sudo ls > /root/somefile
will not work since it is the shell that tries to write to that file. You can use
ls | sudo tee /root/somefile
to get the behaviour you want.
* In a lot of office environments the ONLY local user on a system is root. All other users are imported using NSS techniques such as
nss-ldap. To setup a workstation, or fix it, in the case of a network failure where nss-ldap is broken, root is required. This tends to
leave the system unusable. An extra local user, or an enabled root password is needed here.
GOING BACK TO A TRADITIONAL ROOT ACCOUNT
This is not recommended!
To enable the root account (i.e. set a password) use:
sudo passwd root
Afterwards, edit the sudo configuration with sudo visudo and comment out the line
%admin ALL=(ALL) ALL
to disable sudo access to members of the admin group.
SEE ALSO sudo(8), https://wiki.ubuntu.com/RootSudo
February 8, 2006 sudo_root(8)