LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > Solaris / OpenSolaris
User Name
Password
Solaris / OpenSolaris This forum is for the discussion of Solaris and OpenSolaris.
General Sun, SunOS and Sparc related questions also go here.

Notices

Reply
 
Search this Thread
Old 09-19-2007, 05:39 AM   #1
linux_pioneer
Member
 
Registered: May 2003
Distribution: Solaris 10, Solaris 8.0, Fedora Core 3
Posts: 203

Rep: Reputation: 30
Expired Root Account/Password for Solaris 8


Hi,
I locked down my system and after a month of not using the system, the root password or account became disabled. I thought it was an expired password so I went through the root password recovery routine:
I booted in single user mode with the firmware password via cdrom and blanked the root password. No problem there.
I reboot in normal mode and get back to the login prompt. Now I get an incorrect login message after entering root as the user name. The error comes before I can enter the blank password. I think this is because I set the account to lock or expire after inactivity. Any ideas?
 
Old 09-19-2007, 06:24 AM   #2
choogendyk
Senior Member
 
Registered: Aug 2007
Location: Massachusetts, USA
Distribution: Solaris 9 & 10, Mac OS X, Ubuntu Server
Posts: 1,189

Rep: Reputation: 105Reputation: 105
You're going to have to give more detail.

What tools are you using and what files are you editing?

Did you make the password field blank in /etc/shadow? I presume when you booted from cdrom you mounted the root disk partition and went into that and edited it? backing it up first, and double checking your work? A mistake here can break the system badly.

Lose your firmware password and you're really in trouble. On another front, can you ssh in and sudo? Getting a system too locked down can get you in trouble, as you've found.
 
Old 09-19-2007, 06:39 AM   #3
linux_pioneer
Member
 
Registered: May 2003
Distribution: Solaris 10, Solaris 8.0, Fedora Core 3
Posts: 203

Original Poster
Rep: Reputation: 30
Here is exactly what I did:
STOP-A
boot cdrom -s
I entered my firmware password that worked
mount /dev/dsk/c0t0d0s0 /a
cd /a/etc
TERM=sun; export TERM
vi shadow (I edited the shadow file by erasing the root password - root::...)
cd /
umount /a
reboot
During this process I encountered no error messages.
After the system boots up, I see the graphical login prompt as usual. I type root for username and press enter. The system gives me the incorrect login error message. It doesn't even ask for a password. That is why I think the account is locked or disabled. A few months ago I locked down the system so accounts would expire after a long time of inactivity (Yes I do realize that I fell on my own sword). Has anyone ran into this problem before?

Last edited by linux_pioneer; 09-19-2007 at 06:40 AM.
 
Old 09-19-2007, 06:58 AM   #4
xramm
LQ Newbie
 
Registered: Sep 2007
Posts: 17

Rep: Reputation: 0
Unhappy

it sounds like you setup/are in mode with no root entry via gui but your user name and then su - to go into root user.
But I faced it once in Ubuntu Linux not on Solaris..
 
Old 09-19-2007, 07:27 AM   #5
linux_pioneer
Member
 
Registered: May 2003
Distribution: Solaris 10, Solaris 8.0, Fedora Core 3
Posts: 203

Original Poster
Rep: Reputation: 30
I also blanked the password of a regular user account so I could try su. I get the same problem at the login prompt. I enter the user name and get an incorrect login message before I can enter the password.
 
Old 09-19-2007, 08:11 PM   #6
choogendyk
Senior Member
 
Registered: Aug 2007
Location: Massachusetts, USA
Distribution: Solaris 9 & 10, Mac OS X, Ubuntu Server
Posts: 1,189

Rep: Reputation: 105Reputation: 105
What else have you done to lock down the system with respect to logging in, passwords, etc?

Also, the third field in /etc/shadow, which you don't show, is the number of days between January 1, 1970 and the date that the password was last changed. If you have an account that works, perhaps you could copy the other fields from it. You can do a `man shadow` to see what all the other fields are. Or, if there is an account that you know the login password to, and that works, you could copy the hash for that password into the root password entry in /etc/shadow, and then reboot and login as root using that password. Possibly inflating the last entry (number of days of inactivity allowed) would do it. The login checks the lastlog file and compares it to this field.

However, it kind of goes back to my question at the beginning of this post. Unless someone with a lot of experience has an inspiration, I think you'll need to come up with what else you did in order for us to help more.

I don't know how important this machine is to you. On all of my servers, I keep a separate log book. In that log book I enter everything I do on that server. I put the date at the beginning of each entry, and I highlight keywords so that I can scan through the logbook very quickly. I often cross reference entries, and occasionally, I will even index them. For one of my servers, I have about 120 pages in the log book. The entries are succinct with lots of unix and not so much English. When I can't remember what I did configuring something, I can scan back through and see.
 
Old 09-19-2007, 08:35 PM   #7
TechWizrd
Member
 
Registered: Apr 2007
Location: /dev/null
Distribution: Ubuntu, Slackware, Gentoo, Linux Mint, Arch Linux
Posts: 43

Rep: Reputation: 15
Have you tried booting from a LiveCD (like Slax, Knoppix, DSL, etc. ?) and just backing up your data? Then you could try. You could also try replacing the bad files wih files from the install cd...
 
Old 09-20-2007, 11:29 AM   #8
jlliagre
Moderator
 
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris10, Solaris 11, Mint, OL
Posts: 9,506

Rep: Reputation: 360Reputation: 360Reputation: 360Reputation: 360
Quote:
Originally Posted by linux_pioneer View Post
Hi,
I locked down my system and after a month of not using the system, the root password or account became disabled.
This is extremely non standard. What was done in the first place for that to happen ?
Quote:
I thought it was an expired password
root's password shouldn't expire.
Quote:
so I went through the root password recovery routine:
I booted in single user mode with the firmware password via cdrom and blanked the root password. No problem there.
did you backup the shadow file ?
What was its original content and what is its current one ?
 
Old 09-22-2007, 10:21 PM   #9
linux_pioneer
Member
 
Registered: May 2003
Distribution: Solaris 10, Solaris 8.0, Fedora Core 3
Posts: 203

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by jlliagre View Post
This is extremely non standard. What was done in the first place for that to happen ?

root's password shouldn't expire.

did you backup the shadow file ?
What was its original content and what is its current one ?
I realize this is extremely non-standard. I work in a non-standard organization that sets security policy and I just implement.

The root's password can expire if you set it to.

I restored the original shadow file to no avail. I believe the policy in the shadow file expired or disabled the accounts. Even after restoring the file, I need a way to tell the OS to restore the accounts.

Has anyone received a bad login error message after entering the user name?
 
Old 09-22-2007, 10:36 PM   #10
choogendyk
Senior Member
 
Registered: Aug 2007
Location: Massachusetts, USA
Distribution: Solaris 9 & 10, Mac OS X, Ubuntu Server
Posts: 1,189

Rep: Reputation: 105Reputation: 105
A couple of people have asked for more details. We can't help you unless you can provide them. Give us a step by step of what you did to "secure" the root password. There may also have been some other related things that you did to secure accounts in general. What were they?
 
Old 09-23-2007, 12:56 AM   #11
jlliagre
Moderator
 
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris10, Solaris 11, Mint, OL
Posts: 9,506

Rep: Reputation: 360Reputation: 360Reputation: 360Reputation: 360
Definitively true. Many details are missing here.

What was the /etc/shadow root entry looking like before and after the change ?

Are passwordless accounts authorized on this system (PASSREQ in /etc/default/login) ?

Has the /etc/pam.conf been customized ?
 
Old 09-23-2007, 02:15 AM   #12
linux_pioneer
Member
 
Registered: May 2003
Distribution: Solaris 10, Solaris 8.0, Fedora Core 3
Posts: 203

Original Poster
Rep: Reputation: 30
I modified the /etc/shadow. For two users - including root - I modified the 5th and 7th fields in the colon delimited entry. I set the max days for password change to 60 and days after expiration to inactivate account to 30.
username (root):
password (encrypted password):
last password change:
min days for password change:
max days for password change (60):
warn days for password change:
number of days to inactivate account after password expiration (30):
date to disable account

After I booted in single mode from the CD, I cleared these entries along with the password. Still no luck. Before I made these changes I was able to clear the password and set a new one at login. I think Solaris made the accounts inactive due to these settings and I need to figure out how to reactivate them.
 
Old 09-23-2007, 02:23 AM   #13
jlliagre
Moderator
 
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris10, Solaris 11, Mint, OL
Posts: 9,506

Rep: Reputation: 360Reputation: 360Reputation: 360Reputation: 360
You failed to properly answer to my first question and you missed the remaining ones ...

It's hard to help without clues.

Another question: what is specified about password in /etc/nsswitch.conf ?
 
  


Reply

Tags
account, password, recovery, root


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
root account expired The helpless one Linux - Newbie 4 03-11-2006 12:27 PM
How to get a list of users with their password status (expired, account locked...)? ricky_ds Linux - General 6 02-28-2005 09:53 AM
root account expired TastyWheat Linux - Security 7 09-14-2004 08:47 AM
My root password has expired. MannaPC Linux - General 4 09-01-2004 02:25 PM
Root account expired, sort of.... rmohn Linux - Security 1 12-10-2002 10:32 AM


All times are GMT -5. The time now is 02:04 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration