Thank you very much this worked for me. when I tried logging in from the
console including the password. An xterm window appeared and prompted me
for the new password.
Joan
Message
From: sunhelp-bounces (AT) sunhelp (DOT) org [mailto:sunhelp-bounces (AT) sunhelp (DOT) org]
Behalf Steve Sandau
Sent: Tuesday, November 29, 2005 2:10 PM
To: The SunHELP List
Subject: Re: [SunHELP] root passwd expired
This has never happened: is there anyway I can reset root's password with
booting from a cdrom?
I have been able to fix this with a console sesison. I believe that is
the only way you can log in with an expired root password. I suppose you
could boot from CD, mount your current root filesystem, and remove the
encrypted root password from /etc/shadow, but I have never tried that.
Steve
SunHELP maillist - SunHELP (AT) sunhelp (DOT) org
SunHELP maillist - SunHELP (AT) sunhelp (DOT) org

This is a good reason to have sudo installed and configured can
always execute "sudo passwd root" if you have the ability to do "su -"
under sudo.

sudo is a stock package in Sol 9 and above, so it's an easy failsafe.

We've set up a cron job to email us 5 days before root password
expiration, due to the expiration causing administrative cron jobs
to stop running.

=Nadine=

11/29/05, Grindell, Joan M. <GrindellJ (AT) sec (DOT) govwrote:
Thank you very much this worked for me. when I tried logging in from the
console including the password. An xterm window appeared and prompted me
for the new password.

Joan

Message
From: sunhelp-bounces (AT) sunhelp (DOT) org [mailto:sunhelp-bounces (AT) sunhelp (DOT) org]
Behalf Steve Sandau
Sent: Tuesday, November 29, 2005 2:10 PM
To: The SunHELP List
Subject: Re: [SunHELP] root passwd expired

This has never happened: is there anyway I can reset root's password with
booting from a cdrom?
--
I have been able to fix this with a console sesison. I believe that is
the only way you can log in with an expired root password. I suppose you
could boot from CD, mount your current root filesystem, and remove the
encrypted root password from /etc/shadow, but I have never tried that.

Steve

SunHELP maillist - SunHELP (AT) sunhelp (DOT) org

SunHELP maillist - SunHELP (AT) sunhelp (DOT) org

SunHELP maillist - SunHELP (AT) sunhelp (DOT) org

So, 'sudo passwd root' will work within an ssh or telnet session with an
expired password? I thought I remembered that 'su -' failed. there's a
difference?

Steve

velociraptor wrote:
This is a good reason to have sudo installed and configured can
always execute "sudo passwd root" if you have the ability to do "su -"
under sudo.

sudo is a stock package in Sol 9 and above, so it's an easy failsafe.

We've set up a cron job to email us 5 days before root password
expiration, due to the expiration causing administrative cron jobs
to stop running.

=Nadine=

11/29/05, Grindell, Joan M. <GrindellJ (AT) sec (DOT) govwrote:

>>Thank you very much this worked for me. when I tried logging in from the
>>console including the password. An xterm window appeared and prompted me
>>for the new password.
>>
>>Joan
>>
>Message
>>From: sunhelp-bounces (AT) sunhelp (DOT) org [mailto:sunhelp-bounces (AT) sunhelp (DOT) org]
>>Behalf Steve Sandau
>>Sent: Tuesday, November 29, 2005 2:10 PM
>>To: The SunHELP List
>>Subject: Re: [SunHELP] root passwd expired
>>
>>
This has never happened: is there anyway I can reset root's password with
booting from a cdrom?

>>
>>I have been able to fix this with a console sesison. I believe that is
>>the only way you can log in with an expired root password. I suppose you
>>could boot from CD, mount your current root filesystem, and remove the
>>encrypted root password from /etc/shadow, but I have never tried that.
>>
>>Steve

SunHELP maillist - SunHELP (AT) sunhelp (DOT) org

11/29/05, Steve Sandau <ssandau (AT) gwi (DOT) netwrote:
So, 'sudo passwd root' will work within an ssh or telnet session with an
expired password? I thought I remembered that 'su -' failed. there's a
difference?

Assuming that your sudo privs are set to: ALL = (ALL) ALL

I could test with a more limited set (toss me an example) if you like;
I have lab boxes I can fiddle with.

I used this two weeks ago when we got burned by root password
expiration on a few of our Solaris 8 & 9 servers the comments
about the cron job as well. :-/ Sysadmin->bullet->foot.

I have to say that I have been quite tempted to make root "*NP*" on
the Solaris 9 boxes and then just install public keys for each of us
that have to admin the boxes, but I know that on some bloody
horror story day I'd regret that choice.

Anyone have any other suggestion for avoiding the issue other than
making root not expire at all? Does anyone know if Solaris 10 root
cron jobs stop working if the root password expires?

=Nadine=

SunHELP maillist - SunHELP (AT) sunhelp (DOT) org

velociraptor wrote:
11/29/05, Steve Sandau <ssandau (AT) gwi (DOT) netwrote:

>>So, 'sudo passwd root' will work within an ssh or telnet session with an
>>expired password? I thought I remembered that 'su -' failed. there's a
>>difference?
>>

Assuming that your sudo privs are set to: ALL = (ALL) ALL

I could test with a more limited set (toss me an example) if you like;
I have lab boxes I can fiddle with.

No specific example. Last couple of times I have just done the console
thing. other time I had a problem someone else added a user and
changed the word 'root' in /etc/shadow to 'Root' (you know, down arrow
or something changes the case of letters sometimes in vi on Solaris).

That one nothing would fix short of a CDRM boot. (Actually didn't have
a CDRM drive since someone hid it on me. Had to take the damn drive
out, put it in another box, run devfsadm to get it recognized, mount the
partition and edit the shadow file.)

I used this two weeks ago when we got burned by root password
expiration on a few of our Solaris 8 & 9 servers the comments
about the cron job as well. :-/ Sysadmin->bullet->foot.

We now have a console server so I can get to the console and aviod stuff
like this.

I have to say that I have been quite tempted to make root "*NP*" on
the Solaris 9 boxes and then just install public keys for each of us
that have to admin the boxes, but I know that on some bloody
horror story day I'd regret that choice.

I'd rather not have anyone logging in directly as root on the boxes I
admin. In fact, I think the "rules" may forbid that expressly.

Anyone have any other suggestion for avoiding the issue other than
making root not expire at all? Does anyone know if Solaris 10 root
cron jobs stop working if the root password expires?

thing I have done is write on the calendar the next time we need to
change the root password. I guess you could set up a cron to email you
once every password-change-period or something like that. Maybe I'll
look into that: an email when the password expiration is 10 days away or
something.

to be able to compare the third field in /etc/shadow (last change
in days since the epoch) with today's date in the same format and send
an alert if it is greater than a certain number.

Steve

SunHELP maillist - SunHELP (AT) sunhelp (DOT) org

11/30/05, Sheldon T. Hall <shel (AT) tandem (DOT) artell.netwrote:
Nadine says

Anyone have any other suggestion for avoiding the issue other than
making root not expire at all?

Lemme ask that another way Why have root's password expire at all?
What
benefit do you get from root password expiration?

I hear you, but I wasn't involved in the policy decision. :-/ There are some
fights with $clients you just don't want to start.

=Nadine=

SunHELP maillist - SunHELP (AT) sunhelp (DOT) org

11/30/05, Steve Sandau <ssandau (AT) gwi (DOT) netwrote:
We now have a console server so I can get to the console and aviod stuff
like this.

Graphical or serial? Can anyone confirm that it will work on the latter?
I do not believe in heads and keyboards on Suns.

I have to say that I have been quite tempted to make root "*NP*" on
the Solaris 9 boxes and then just install public keys for each of us
that have to admin the boxes, but I know that on some bloody
horror story day I'd regret that choice.

I'd rather not have anyone logging in directly as root on the boxes I
admin. In fact, I think the "rules" may forbid that expressly.

Sometimes you have to though, depending on what's going on with
the box. <knocks woodHaven't had but a couple of those here.

thing I have done is write on the calendar the next time we need to
change the root password. I guess you could set up a cron to email you
once every password-change-period or something like that. Maybe I'll
look into that: an email when the password expiration is 10 days away or
something.

That's what we are doing now. Quite easy with a shell script if you have
Gnu tools installed, with base Solaris, the only method we found was
with Perl.

=Nadine=

SunHELP maillist - SunHELP (AT) sunhelp (DOT) org

>We now have a console server so I can get to the console and aviod
>stuff like this.

Graphical or serial? Can anyone confirm that it will work on the
latter? I do not believe in heads and keyboards on Suns.

Cyclades serial console server (actually runs embedded Linux) that is
accessible over the network. Yes, you can change root password there; it
is just a serial connection as far as the S knows.

I have to say that I have been quite tempted to make root "*NP*"
on the Solaris 9 boxes and then just install public keys for each
of us that have to admin the boxes, but I know that on some
bloody horror story day I'd regret that choice.
>
>I'd rather not have anyone logging in directly as root on the boxes
>I admin. In fact, I think the "rules" may forbid that expressly.

Sometimes you have to though, depending on what's going on with the
box. <knocks woodHaven't had but a couple of those here.

To log in as root you need to be on the console with our machines, but a
root login is avaliable nonetheless.


>thing I have done is write on the calendar the next time we
>need to change the root password. I guess you could set up a cron
>to email you once every password-change-period or something like
>that. Maybe I'll look into that: an email when the password
>expiration is 10 days away or something.

That's what we are doing now. Quite easy with a shell script if you
have Gnu tools installed, with base Solaris, the only method we found
was with Perl.

Yes, I noticed that the Solaris 'date' command does not take +%s like
gnu date does.

, and expiring the root password gives us the advantage of obeying the
DN rules as implemented here.

Steve

SunHELP maillist - SunHELP (AT) sunhelp (DOT) org