|
|
Sponsored Content
Special Forums
Cybersecurity
lost root password using (SAM) trusted security
Post 6638 by jordanrt on Sunday 9th of September 2001 08:12:56 AM
09-09-2001
lost root password using (SAM) trusted security
I have used the system administration management trusted security system and in the process the root password have been changed or lost.
Is there any possible way to recover root status after this incident
Is there any possible way to recover root status after this incident
|
|
10 More Discussions You Might Find Interesting
1. UNIX for Advanced & Expert Users
I've forgotten root password on one of Solaris machines, i searched in forumes to find a similar case but there's no proceudre here to reinintialize root password, cause most of related commands & even single user mode needs root password that i don't have.
Any solution would be helpful.
--rgrds,... (9 Replies)
Discussion started by: nikk
9 Replies
2. UNIX for Advanced & Expert Users
Hello ...
I lost my password root !
maybe someone can to help me to log in HP_UX,
i started the server in " Singel - User" and i changed my
password to new password and it`s not working ..
what i must to do ??? (4 Replies)
Discussion started by: yanly
4 Replies
3. UNIX for Advanced & Expert Users
I have recently become the sys adm guy for our unix systems here for my shop. I have a pretty good understanding of the system, but there is just some stuff that I don't know. Right now one of those things is to recover the password for a unix system.
I know that there is a way that you can use... (2 Replies)
Discussion started by: GlockCW
2 Replies
4. Answers to Frequently Asked Questions
We have quite a few threads about this subject. I have collected some of them and arranged them by the OS which is primarily discussed in the thread. That is because the exact procedure depends on the OS involved. What's more, since you often need to interact with the boot process, the... (0 Replies)
Discussion started by: Perderabo
0 Replies
5. Linux
wish to know how to access root password it root password is forgotten in linux (1 Reply)
Discussion started by: wojtyla
1 Replies
6. UNIX for Dummies Questions & Answers
I'm attempting to blank out the root user password on a machine that we have forgotten the password for. I have been using the advice posted on this site to boot from CDROM in single user mode, then mounting the root slice and editing the /etc/shadow file. Each time I save the shadow file and... (1 Reply)
Discussion started by: gonzotonka
1 Replies
7. UNIX for Advanced & Expert Users
This is a common question im sure... I bought a RS/6000 Model 240. Aix 4.3.3 loaded. No root password was supplied to me, but I do have the install media (4 disks). I want to drop into maint mode. So I place the cd into the drive, restart the box ( by pressing the power button, since i do not have... (3 Replies)
Discussion started by: JoeJohnSmith
3 Replies
8. SCO
I dont have the cds, what can i do? (2 Replies)
Discussion started by: sopapa
2 Replies
9. SCO
Hi All,
It seems that someone in my organization had changed the root password
on a SCO Openserver 6 box.
Apparently, there are no emergency boot disks. I think they were never
created because there is no floppy drive on the machine. I've tried to
use the Openserver 6 media installations... (2 Replies)
Discussion started by: gseyforth
2 Replies
10. Solaris
Hi All
Hope it's okay to post on this sub-forum, couldn't find a better place
I've got a 480R running solaris 8 with veritas volume manager managing all filesystems, including an encapsulated root disk (I believe the root disk is encapsulated as one of the root mirror disks has an entry under... (1 Reply)
Discussion started by: sunnyd76
1 Replies
LEARN ABOUT HPUX
security
security(4) Kernel Interfaces Manual security(4) NAME
security - security defaults configuration file DESCRIPTION
A number of system commands and features are configured based on certain attributes defined in the configuration file. This file must be world readable and root writable. Each line in the file is treated either as a comment or as configuration information for a given system command or feature. Comments are denoted by a at the beginning of a line. Noncomment lines are of the form, If any attribute is not defined or is commented out in this file, the default behavior detailed below will apply. The default value of each attribute is defined in the file. Attribute definitions, valid values, and defaults are defined as follows: This attribute controls login behavior if a user's home directory does not exist. Note that this is only enforced for non-root users and only applies to the command or those services that indirectly invoke such as the and commands. Login with '/' as the home directory if the user's home directory does not exist. Exit the login session if the user's home directory does not exist. Default value: This attribute determines whether or not users with a null password can login. It does not apply to trusted systems. This attribute is supported only for non-root users managed by pam_unix (described in pam_unix(5)); this typically includes local and NIS users. For local users, the system-wide default defined here in may be overridden by defining a per-user value in (described in userdb(4)). Users with a null password cannot login. Users with a null password can login. Default value: This attribute controls whether or not users are to be audited. It does not apply to trusted systems. This attribute is supported for users in all name server switch repositories, such as local, NIS and LDAP. This attribute is enforced in the service module, and requires that the module be con- figured in See pam_hpsec(5). The system-wide default defined here may be overridden by defining a per-user value in (described in userdb(4)). For more information about HP-UX auditing, see audit(5). Do not audit. Audit. Default value: This attribute controls whether an account is locked after too many consecutive authentication failures. It does not apply to trusted systems. This attribute is sup- ported for users in all name server switch repositories, such as local, NIS and LDAP. This attribute is enforced in the service module, and requires that the module be configured in See pam_hpsec(5). Other PAM service modules in your configuration may enforce additional restrictions. The system-wide default defined here may be overridden by defining a per-user value in (described in userdb(4)). When an account has been locked due to too many authentication failures, root can unlock the account by this command: Any number of authentication retries is allowed. An account is locked after N+1 consecutive authentication failures. N can be any positive integer. Default value: This attribute controls whether authentication is required to boot the system into single user mode. If enabled, the system cannot be booted into single user mode until the password of an authorized user is provided. This attribute does not apply to trusted systems. However, if boot authentication is enabled on a standard system, then when the system is converted to a trusted system, boot authentication will also be enabled as default for the trusted system. Boot authentication is turned OFF. Boot authentication is turned ON. Default value: This attribute defines the names of users who are authorized to boot the system into single user mode from the console. Names are separated by a comma It only takes effect when boot authentication is enabled. Refer to the description of the attribute. The attribute does not apply to trusted systems. However, when a standard system is converted to a trusted system, this information is translated. For example: Other than the root user, user or can also boot the system into single user mode from the console. Default value: This attribute lists the password hash algorithms that must be deprecated when a user's password is changed. This attribute is only valid when the SHA11i3 product is installed. This attribute specifies the default password hash algorithm. It is used when a new user password is created, and either the user did not have a password before or the old pass- word was hashed with a deprecated algorithm (listed in The value of should not be present in This attribute is only valid when the SHA11i3 product is installed. The default hash algorithm is the traditional DES-based algorithm. Refer to crypt(3C) for more information. The default hash algorithm is method 6, a newer hash algorithm based on SHA-512. For example: If a user's password is created for the first time, it is hashed using method Or if a user's old password was hashed using the new password is hashed using method Default value: This attribute controls whether a successful login displays the date, time and origin of the last successful login and the last authentication failure. Times are dis- played using the system's time zone. See the discussion of time zones in the section. This attribute does not apply to trusted systems. This attribute is supported for users in all name server switch repositories, such as local, NIS and LDAP. This attribute is enforced in the service module, and requires that the module be configured in See pam_hpsec(5). The system-wide default defined here may be overridden by defining a per-user value in (described in userdb(4)). Information is not displayed. Information is displayed. Default value: This attribute controls whether an account is locked if there have been no logins to the account for a specified time interval. It does not apply to trusted systems. This attribute is supported only for non-root users managed by pam_unix (described in pam_unix(5)); this typically includes local and NIS users. In most cases this attribute can be enforced only as a system-wide default, however, for local users on a shadow password system, the system-wide default defined here in may be overridden by defining a per-user value in the field of with either one of these commands: When an account has been locked due to this feature, root can unlock the account by this command: username Inactive accounts are not expired. Inactive accounts are expired if there have been no logins to the account for at least N days. N can be any positive integer. Default value: This attribute restricts logins to specific time periods. Login time restrictions are based on the system's time zone. See the discussion of time zones in the section. This attribute does not apply to trusted systems. This attribute is supported for users in all name server switch reposi- tories, such as local, NIS and LDAP. This attribute is enforced in the service module, and requires that the module be configured in See pam_hpsec(5). Other PAM service modules in your configuration may enforce additional restric- tions. The system-wide default defined here may be overridden by defining a per-user value in (described in userdb(4)). An account is locked if the current time is not within the specified time period. The timeperiod consists of any number of day and time ranges separated by colons. A user is allowed to access the system when the login time is within any of the specified ranges. The days are specified by the following abbreviations: Where is all week days and is any day of the week. A time range can be included after the day specification. A time range is a 24-hour time period, specified as hours and minutes separated by a hyphen. Each time must be specified with 4 digits (HHMM-HHMM). Leading zeros are required. This time range indicates the start and end time for the specified days. The start time must be less than the end time. When no time range is specified, all times within the day(s) are valid. If the current time is within the range of any of the time ranges specified for a user, the user is allowed to access the system. Do not use as a time range to prevent user access. For example, cannot be used to disallow access on Fridays. Instead, should be used. See the section. Default value: Can login any day of the week. This attribute controls the minimum length of new passwords. On trusted systems it applies to all users. On standard systems it applies to non-root local users and to NIS users. The system-wide default defined here may be overridden by defining per-user values in (described in userdb(4)). New passwords must contain at least N characters. For standard systems, N can be any value from 3 to 8. For trusted systems, N can be any value from 6 to 80. Default value: This attribute controls whether non-root login can be disabled by the file. Note that this attribute only applies to the applications that use session management services provided by as configured in or those services that indirectly invoke such as the and commands. Other ser- vices may or may not choose to enforce the file. Ignore the file and do not exit if the file exists. Display the contents of the file and exit if the file exists. Default value: This attribute controls the number of simultaneous logins allowed per user. Note that this is only enforced for non-root users and only applies to the applications that use session management services provided by as configured in or those services that indirectly invoke such as the and commands. The system-wide default defined here may be overridden by defining a per-user value in (described in userdb(4)). Any number of logins are allowed per user. N number of logins are allowed per user. Default value: This attribute controls the password history depth. A new password is checked against passwords stored in the user's password history. This prevents the user from re- using a recently used password. This attribute applies only to local users. For a trusted system, the maximum password history depth is 10 and the minimum is 1. For a standard system, the maximum password history depth is 24 and the minimum is 1. The system-wide default defined here may be overridden by defining a per-user value in (described in userdb(4)). A new password is checked against the N most recently used passwords, including the current password. For example, a password history depth of 2 prevents a user from alternating between two passwords. Default value: Cannot re-use the current password. Attributes of this form are used to require new passwords to have a minimum number of characters of particular types (upper case, lower case, digits or special characters). This can be helpful in enforcing site security policies about selecting passwords that are not easy to guess. This attribute applies only to non-root local users. The system-wide default defined here may be overridden by defining a per-user value in (described in userdb(4)). Specifies that a minimum of N upper-case characters are required in a password when changed. Specifies that a minimum of N lower-case characters are required in a password when changed. Specifies that a minimum of N digit characters are required in a password when changed. Specifies that a minimum of N special characters are required in a password when changed. Default value: The default for each of these attributes is zero. This attribute controls the default maximum number of days that passwords are valid. This value, if specified, is used by the authentication subsystem during the password change process in the case where aging restrictions do not already exist for the given user. The value takes effect after the password change. This attribute applies only to local users and does not apply to trusted systems. The option can be used to override this value for a specific user. A new password is valid for up to N days, after which the password must be changed. N can be an integer from -1 to 441. Default value: password aging is turned off. This attribute controls the default minimum number of days before a password can be changed. This value is used by the authentication subsystem during the password change process in the case where aging restrictions do not already exist for the user. The value is stored persistently and takes effect after the password change. This attribute applies only to local users and does not apply to trusted systems. The option can be used to override this value for a specific user. A new password cannot be changed until at least N days since it was last changed. N can be an integer from 0 to 441. Default value: This attribute controls the default number of days before password expiration that a user is to be warned that the password must be changed. This value, if specified, is used by the authentication subsystem during the password change process in the case where aging restrictions do not already exist for the given user. The value takes effect after the password change. This attribute applies only to local users on shadow password systems. The option can be used to override this value for a specific user. Users are warned N days before their password expires. N can be an integer from 0 to 441. Default value: (no warning) This attribute defines a new default environment value to be set when to a non-superuser account is done. Refer to su(1). The environment variable is set to new_PATH when the command is invoked. The path value is not validated. This attribute does not apply to a superuser account, and is applicable only when the "-" option is not used with the com- mand. Default value: If this attribute is not defined or if it is commented out, is not changed. This attribute forces to propagate certain 'unsafe' environment variables to its child process despite the security risk of doing so. Refer to su(1). By default, does not export the environment variables or because they could be maliciously misused. Any combination of these can be specified in this entry, with a comma separating the variables. Currently, no other environment variables may be specified in this way. This may change in future HP-UX releases as security needs require. Default value: If this attribute is not defined or if it is commented out, these environment variables will not be propagated by the command. This attribute defines the root group name for the command. Refer to su(1). The root group name is set to the specified symbolic group name. The command enforces the restriction that a non- superuser must be a member of the specified root group to be allowed to to root. This does not alter password check- ing. Default value: If this attribute is not defined or if it is commented out, there is no default value. In this case, a non superuser is allowed to to root without being bound by root group restrictions. This attribute controls of all sessions initiated via This attribute is supported for users in all name server switch repositories, such as local, NIS and LDAP. This attribute is enforced in the service module, and requires that the module be configured in See pam_hpsec(5). It accepts values from 0 to 0777 as an unsigned octal integer (must have a leading zero to denote octal). The system-wide default defined here may be overridden by defining a per-user value in (described in userdb(4)). The current is set or restricted further with the value of default_umask. For trusted systems, the is also restricted so as not to exceed defined in Default value: Notes Use the functions defined in secdef(3) to read the values of the attributes defined in this file. The usage, possible values and default value of each of the attributes described in this manpage is defined in the file. The behavior of some attributes is affected by the time zone. For these attributes the time zone is determined by the first line of the form in the file If the time zone is not specified in this file, it is obtained from the file as described in tzset(3C). EXAMPLES
The following are examples of usage. The user can login to the system all day on weekends and after 6:00 pm on week days. The user can login to the system on Monday, Wednesday and Friday from 10:00 am to 2:00 pm and on Tuesday, Thursday, and Sunday from 8:00 am to 5:00 pm. The user can login to the system every day from 4:00 am until 1:00 pm. No day or time restrictions. This is the default. The user can login to the system any time between Monday after 6:00 pm until Tuesday at 3:00 am. The user can only login to the system on Mondays between midnight and 3:00 am or after 6:00 pm on Mondays. WARNINGS
HP-UX 11i Version 3 is the last release to support trusted systems functionality. AUTHOR
The file was developed by HP. FILES
security defaults configuration file security attributes description file user database SEE ALSO
login(1), passwd(1), su(1), init(1M), userstat(1M), secdef(3), pam.conf(4), userdb(4), pam_hpsec(5), pam_unix(5). security(4)