Solaris / OpenSolarisThis forum is for the discussion of Solaris, OpenSolaris, OpenIndiana, and illumos.
General Sun, SunOS and Sparc related questions also go here. Any Solaris fork or distribution is welcome.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Solaris 10, Solaris 8.0, Fedora Core 3
Posts: 203
Rep:
Expired Root Account/Password for Solaris 8
Hi,
I locked down my system and after a month of not using the system, the root password or account became disabled. I thought it was an expired password so I went through the root password recovery routine:
I booted in single user mode with the firmware password via cdrom and blanked the root password. No problem there.
I reboot in normal mode and get back to the login prompt. Now I get an incorrect login message after entering root as the user name. The error comes before I can enter the blank password. I think this is because I set the account to lock or expire after inactivity. Any ideas?
Distribution: Solaris 9 & 10, Mac OS X, Ubuntu Server
Posts: 1,197
Rep:
You're going to have to give more detail.
What tools are you using and what files are you editing?
Did you make the password field blank in /etc/shadow? I presume when you booted from cdrom you mounted the root disk partition and went into that and edited it? backing it up first, and double checking your work? A mistake here can break the system badly.
Lose your firmware password and you're really in trouble. On another front, can you ssh in and sudo? Getting a system too locked down can get you in trouble, as you've found.
Distribution: Solaris 10, Solaris 8.0, Fedora Core 3
Posts: 203
Original Poster
Rep:
Here is exactly what I did:
STOP-A
boot cdrom -s
I entered my firmware password that worked
mount /dev/dsk/c0t0d0s0 /a
cd /a/etc
TERM=sun; export TERM
vi shadow (I edited the shadow file by erasing the root password - root::...)
cd /
umount /a
reboot
During this process I encountered no error messages.
After the system boots up, I see the graphical login prompt as usual. I type root for username and press enter. The system gives me the incorrect login error message. It doesn't even ask for a password. That is why I think the account is locked or disabled. A few months ago I locked down the system so accounts would expire after a long time of inactivity (Yes I do realize that I fell on my own sword). Has anyone ran into this problem before?
Last edited by linux_pioneer; 09-19-2007 at 06:40 AM.
it sounds like you setup/are in mode with no root entry via gui but your user name and then su - to go into root user.
But I faced it once in Ubuntu Linux not on Solaris..
Distribution: Solaris 10, Solaris 8.0, Fedora Core 3
Posts: 203
Original Poster
Rep:
I also blanked the password of a regular user account so I could try su. I get the same problem at the login prompt. I enter the user name and get an incorrect login message before I can enter the password.
Distribution: Solaris 9 & 10, Mac OS X, Ubuntu Server
Posts: 1,197
Rep:
What else have you done to lock down the system with respect to logging in, passwords, etc?
Also, the third field in /etc/shadow, which you don't show, is the number of days between January 1, 1970 and the date that the password was last changed. If you have an account that works, perhaps you could copy the other fields from it. You can do a `man shadow` to see what all the other fields are. Or, if there is an account that you know the login password to, and that works, you could copy the hash for that password into the root password entry in /etc/shadow, and then reboot and login as root using that password. Possibly inflating the last entry (number of days of inactivity allowed) would do it. The login checks the lastlog file and compares it to this field.
However, it kind of goes back to my question at the beginning of this post. Unless someone with a lot of experience has an inspiration, I think you'll need to come up with what else you did in order for us to help more.
I don't know how important this machine is to you. On all of my servers, I keep a separate log book. In that log book I enter everything I do on that server. I put the date at the beginning of each entry, and I highlight keywords so that I can scan through the logbook very quickly. I often cross reference entries, and occasionally, I will even index them. For one of my servers, I have about 120 pages in the log book. The entries are succinct with lots of unix and not so much English. When I can't remember what I did configuring something, I can scan back through and see.
Distribution: Ubuntu, Slackware, Gentoo, Linux Mint, Arch Linux
Posts: 43
Rep:
Have you tried booting from a LiveCD (like Slax, Knoppix, DSL, etc. ?) and just backing up your data? Then you could try. You could also try replacing the bad files wih files from the install cd...
Distribution: Solaris 11.4, Oracle Linux, Mint, Debian/WSL
Posts: 9,789
Rep:
Quote:
Originally Posted by linux_pioneer
Hi,
I locked down my system and after a month of not using the system, the root password or account became disabled.
This is extremely non standard. What was done in the first place for that to happen ?
Quote:
I thought it was an expired password
root's password shouldn't expire.
Quote:
so I went through the root password recovery routine:
I booted in single user mode with the firmware password via cdrom and blanked the root password. No problem there.
did you backup the shadow file ?
What was its original content and what is its current one ?
Distribution: Solaris 10, Solaris 8.0, Fedora Core 3
Posts: 203
Original Poster
Rep:
Quote:
Originally Posted by jlliagre
This is extremely non standard. What was done in the first place for that to happen ?
root's password shouldn't expire.
did you backup the shadow file ?
What was its original content and what is its current one ?
I realize this is extremely non-standard. I work in a non-standard organization that sets security policy and I just implement.
The root's password can expire if you set it to.
I restored the original shadow file to no avail. I believe the policy in the shadow file expired or disabled the accounts. Even after restoring the file, I need a way to tell the OS to restore the accounts.
Has anyone received a bad login error message after entering the user name?
Distribution: Solaris 9 & 10, Mac OS X, Ubuntu Server
Posts: 1,197
Rep:
A couple of people have asked for more details. We can't help you unless you can provide them. Give us a step by step of what you did to "secure" the root password. There may also have been some other related things that you did to secure accounts in general. What were they?
Distribution: Solaris 10, Solaris 8.0, Fedora Core 3
Posts: 203
Original Poster
Rep:
I modified the /etc/shadow. For two users - including root - I modified the 5th and 7th fields in the colon delimited entry. I set the max days for password change to 60 and days after expiration to inactivate account to 30.
username (root):
password (encrypted password):
last password change:
min days for password change:
max days for password change (60):
warn days for password change:
number of days to inactivate account after password expiration (30):
date to disable account
After I booted in single mode from the CD, I cleared these entries along with the password. Still no luck. Before I made these changes I was able to clear the password and set a new one at login. I think Solaris made the accounts inactive due to these settings and I need to figure out how to reactivate them.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.