From: Eric Voisard (evoisard@atisuher.ch)
Date: Tue Apr 06 2004 - 05:53:13 EDT
Hi All,
Thanks to the many people who answered me!
When I jumped to the list to ask my question, I was back from work in the
evening, panic'ed, exhausted and without a solution. It was great to just
drop a message to the list and go to bed, and on next-day going back to the
customer's site, fully confident with all the informations you provided to
me! Thanks again!
First, I must say that the server I was trying to log in has a monitor, but
it was defect. So I made a telnet session and then tried to 'su' to root,
what failed.
Because the /etc/default/login file has the CONSOLE=/dev/console variable
set, root can only access the system from the console and will not be able
to directly login through a remote telnet session for instance. One has to
be on the console of the machine to get in. Telneting as another user and
then 'su root' will simply fail without a possibility for changing the
password.
So, with the defect graphic display there, I had to connect and login as
root through the serial port. Then the system informed me that the root
password was expired and I was immediately prompted to enter a new one.
If there is no a console connection available, then one should change it
before it expires!
If the root password is lost, then one can boot from cdrom (single user
mode), mount the disk and edit /etc/shadow to remove the password entry.
To set the passwords to not expire, then the /etc/default/passwd file must
be edited,
and the two variables below left blank.
MAXWEEKS=
MINWEEKS=
The new values (null here) will take effect on the next password change of
root (or any user).
Some more informations:
3. Login/password administration
- Define password/user characteristics in /etc/default/passwd,
/etc/default/login, /etc/default/su (SUNOS5.x)
- Minimum requirements (defined in
/etc/default/passwd):
- MAXWEEKS=12
- MINWEEKS
- PASSLENGTH=6
- Set minimum default values for admintool fields
used when adding a user (SUNOS5.x)
- login=true
- su=false
- daemon=true
- rlogin=false
- sugroups=ALL
- ttys=ALL
- umask=027
- expire=0
- Enable maximum password age:
/usr/bin/passwd -x #days username (SunOS 4.x)
- Enable minimum passwd age:
/usr/bin/passwd -n #days username (SunOS 4.x)
- Immediately expire a user password:
/usr/bin/passwd -e user (SunOS 4.x)
- Display Password aging info:
/usr/bin/passwd -d user (SunOS 4.x)
/usr/bin/passwd -d -a (SunOS 4.x)
Original message:
>I've been away from a Sun system for a while, and now that I'm back I've
>no more root access to it...
>
>We gave the root password to people there and it's possible they changed
>it, I still don't know. But as I know the password was close to expire,
>I'm wondering what does occur on a Solaris system, when a password expires
>but nobody is there to change it in time. Does the account be blocked, or
>does the system simply ask for changing it as soon as the user logs in again?
>
>In the event of the root password having been blocked, how to get it back?
>By logging in from the serial console? (I had to time for checking this in
>situ now)
>
>And how to get rid of the password ageing feature. From what I've read,
>putting:
>
>MAXWEEKS=
>MINWEEKS=
>
>(without any value) in /etc/default/passwd was enough. Is it true or does
>something else have to be done?...
Eric
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:28:25 EDT