Re: How to reset the Linux root pw
Same here. We have automated processes running in VM that send commands to the linuxguests. It even enables us to execute commands from within VM without the need for access to the linux guest (especially for guests that are located within the customer network). Met vriendelijke groet/With kind regards/Mit freundlichen Grüßen, Berry van Sleeuwen -Original Message- From: Linux on 390 Port [mailto:LINUX-390@vm.marist.edu] On Behalf Of Leland Lucius Sent: Saturday, October 04, 2014 11:53 AM To: LINUX-390@vm.marist.edu Subject: Re: How to reset the Linux root pw On 10/4/2014 1:10 AM, Cameron Seay wrote: > Thanks, Rob. That is the first time anyone suggested an automatic > root login. Will try it. We do the same thing and it is well worth setting it up. Not much effort really, just a bit of inittab editing. Leland -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, Atos’ liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. On all offers and agreements under which Atos Nederland B.V. supplies goods and/or services of whatever nature, the Terms of Delivery from Atos Nederland B.V. exclusively apply. The Terms of Delivery shall be promptly submitted to you on your request.
Re: How to reset the Linux root pw
On 10/4/2014 1:10 AM, Cameron Seay wrote: Thanks, Rob. That is the first time anyone suggested an automatic root login. Will try it. We do the same thing and it is well worth setting it up. Not much effort really, just a bit of inittab editing. Leland -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: How to reset the Linux root pw
Thanks, Rob. That is the first time anyone suggested an automatic root login. Will try it. On Fri, Oct 3, 2014 at 2:27 AM, Rob van der Heij wrote: > On 3 October 2014 08:07, Cameron Seay wrote: > > > Hi: > > > > I know how to reset the root password on an x86 machine using single user > > mode. Is there a way to do that in Linux on VM? > > > > You can shutdown the guest and boot in single user mode by specifying the > "1" on the kernel parameters: #CP IPL vdev PARM 1 > Or you can shutdown and mount the disk on another server to change the > /etc/shadow > > But root passwords are so 90's ... ;-) We did away with passwords at least > 10 years ago: > - have root automatically logged on at the console, so authentication with > RACF is enough to access it > - automated business approved processes with root access through managed > secondary console with logging etc > - warm bodies authenticate with PKI using a central LDAP store for public > keys > - root access through sudo (with logging) for selected users at each > system as defined in LDAP > > Rob > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or > visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > -- > For more information on Linux on System z, visit > http://wiki.linuxvm.org/ > -- Cameron Seay, Ph.D. Department of Computer Systems Technology School of Technology NC A & T State University Greensboro, NC 336 334 7717 x2251 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: How to reset the Linux root pw
On Friday, 10/03/2014 at 05:34 EDT, "Smith, Ann (CTO Service Delivery)" wrote: > But it is useful in DR network where the network is being redesigned by > customer's network folks. > The mainframe linux servers may be up before the LDAP servers are fully > functional (at least those without san). > The ldap client processes can time out. The local id is used to restart them > after LDAP available. > LDAP's not on z. Why not just use the CMS LDAP client to discover when LDAP is up, and then kick off the startup? Works both at home and away. Alan Altmark Senior Managing z/VM and Linux Consultant Lab Services System z Delivery Practice IBM Systems & Technology Group ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: How to reset the Linux root pw
On one account I have a local id (which can sudo to root ) to use if the client processes to connect to the LDAP on active directory come down. It has not happened in production network in more than a year. But it is useful in DR network where the network is being redesigned by customer's network folks. The mainframe linux servers may be up before the LDAP servers are fully functional (at least those without san). The ldap client processes can time out. The local id is used to restart them after LDAP available. LDAP's not on z. Ann Smith -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Alan Altmark Sent: Friday, October 03, 2014 9:37 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: How to reset the Linux root pw On Friday, 10/03/2014 at 02:34 EDT, "Pavelka, Tomas" wrote: > Being curious, how do you deal with situations when LDAP is > temporarily not > available? "The LDAP (or AD) server is down." "We use LDAP (or AD) for everything except root." These are just phrases used to scare small children (and security professionals) as Halloween approaches, right? A resilient infrastructure contains multiple LDAP servers (two per data center, at least) whose databases are replicated. And the System z folks know that at least one LDAP replicant should be on System z so that authentications can take place as soon as System z is up. Excellent for DR since you don't have to wait for the "master" LDAP server to come up. It can take its own sweet time. Don't forget, the applications authenticate clients, too. If LDAP is unavailable, the apps don't work, so the server isn't doing a whole lot anyway. But except during server provisioning or a "break glass" emergency, root shouldn't even be logged on. If you have vendor software that requires root, then you need to either choose different software or beat the vendor until they see the light. In fact, I've got a client who can only access root by going through a "break glass" process that reveals the ever-changing root password. It hasn't been an issue. And if all else fails, the procedures Rob described are at your disposal if you need to repair something (e.g. a bad LDAP configuration). Alan Altmark Senior Managing z/VM and Linux Consultant Lab Services System z Delivery Practice IBM Systems & Technology Group ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: How to reset the Linux root pw
On Friday, 10/03/2014 at 12:48 EDT, Rob van der Heij wrote: > Some of this sounds like my aunt who has several copies of her key at > interesting places outside in the yard, just in case she might forget hers > and the 3 neighbours are all out of town at the same time... "Hey. You never know." Sometimes bad things happen to good people. Take all *reasonable* precautions, of course, but you're more likely to get hurt by having root's password in the guest (along with the attendant effort to manage it) than by having all the LDAP servers down at the same time. Don't be a lemming. "Because we've always done it that way" isn't good enough. There's a reason they always did it that way, but that reason doesn't really apply any more. Alan Altmark Senior Managing z/VM and Linux Consultant Lab Services System z Delivery Practice IBM Systems & Technology Group ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: How to reset the Linux root pw
On 3 October 2014 15:37, Alan Altmark wrote: And if all else fails, the procedures Rob described are at your disposal > if you need to repair something (e.g. a bad LDAP configuration). > And since someone mailed me about IPL of a "rescue system" - only if that makes you come up with an internal IP address so you don't start an old unpatched system on a public production IP address... Since virtual machine can be made so similar, there's no reason to expose yourself like that. Some of this sounds like my aunt who has several copies of her key at interesting places outside in the yard, just in case she might forget hers and the 3 neighbours are all out of town at the same time... Rob -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: How to reset the Linux root pw
Thanks everyone for the very insightful comments. Tomas -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: How to reset the Linux root pw
On Friday, 10/03/2014 at 02:34 EDT, "Pavelka, Tomas" wrote: > Being curious, how do you deal with situations when LDAP is temporarily not > available? "The LDAP (or AD) server is down." "We use LDAP (or AD) for everything except root." These are just phrases used to scare small children (and security professionals) as Halloween approaches, right? A resilient infrastructure contains multiple LDAP servers (two per data center, at least) whose databases are replicated. And the System z folks know that at least one LDAP replicant should be on System z so that authentications can take place as soon as System z is up. Excellent for DR since you don't have to wait for the "master" LDAP server to come up. It can take its own sweet time. Don't forget, the applications authenticate clients, too. If LDAP is unavailable, the apps don't work, so the server isn't doing a whole lot anyway. But except during server provisioning or a "break glass" emergency, root shouldn't even be logged on. If you have vendor software that requires root, then you need to either choose different software or beat the vendor until they see the light. In fact, I've got a client who can only access root by going through a "break glass" process that reveals the ever-changing root password. It hasn't been an issue. And if all else fails, the procedures Rob described are at your disposal if you need to repair something (e.g. a bad LDAP configuration). Alan Altmark Senior Managing z/VM and Linux Consultant Lab Services System z Delivery Practice IBM Systems & Technology Group ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: How to reset the Linux root pw
Just another comment on this: We¹ve used LDAP for user authentication for the past ten years, and never once has the service been unavailable. Our LDAP system runs two master servers and three replicants, with the clients talking to the replicants. These are spread across several data centers, and never once have all three replicants been down at the same time. It¹s all in how you design your LDAP server system. -- Robert P. Nix | Sr IT Systems Engineer | Data Center Infrastructure Services 507-284-0844 | nix.rob...@mayo.edu Mayo Clinic| 200 First Street SW | Rochester, MN 55905 Mayo Clinic, a mission-driven worldwide leader in health care for 150 years. http://150years.mayoclinic.org/ On 10/3/14, 1:33 AM, "Pavelka, Tomas" wrote: >> warm bodies authenticate with PKI using a central LDAP store for public >>keys > >Being curious, how do you deal with situations when LDAP is temporarily >not available? > >Tomas > >-- >For LINUX-390 subscribe / signoff / archive access instructions, >send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or >visit >http://www.marist.edu/htbin/wlvindex?LINUX-390 >-- >For more information on Linux on System z, visit >http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: How to reset the Linux root pw
On 3 October 2014 08:33, Pavelka, Tomas wrote: > > warm bodies authenticate with PKI using a central LDAP store for public > keys > > Being curious, how do you deal with situations when LDAP is temporarily > not available? > > Would you want users to access your system when you can't authenticate them? The LDAP server runs on the same z/VM system as the other guests so has the same service level or better (we never got to having the keys in the central LDAP service). If we're talking about fixing a broken server that has been taken out of production, then you'd either - use the provisioning tools to re-install the platform and application configuration - link (RACF) and mount the disks in the systems programmer Linux guest - logon to the 3270 console (RACF) to fix it (or have the terminal server implemented for that) Rob -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: How to reset the Linux root pw
> warm bodies authenticate with PKI using a central LDAP store for public keys Being curious, how do you deal with situations when LDAP is temporarily not available? Tomas -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: How to reset the Linux root pw
On 3 October 2014 08:07, Cameron Seay wrote: > Hi: > > I know how to reset the root password on an x86 machine using single user > mode. Is there a way to do that in Linux on VM? > You can shutdown the guest and boot in single user mode by specifying the "1" on the kernel parameters: #CP IPL vdev PARM 1 Or you can shutdown and mount the disk on another server to change the /etc/shadow But root passwords are so 90's ... ;-) We did away with passwords at least 10 years ago: - have root automatically logged on at the console, so authentication with RACF is enough to access it - automated business approved processes with root access through managed secondary console with logging etc - warm bodies authenticate with PKI using a central LDAP store for public keys - root access through sudo (with logging) for selected users at each system as defined in LDAP Rob -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/