Re: Root Password
Shockley, Gerard C wrote: sudo su - gives an authorized user a root shell prompt. I wasn't talking about authorised users. Then type passwd you will be prompted for your "new" passwd. Not the old one. All set after that. Basically, that's why use of sudo has to be planned very carefully. -- Cheers John -- spambait 1...@coco.merseine.nu z1...@coco.merseine.nu -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Root Password
Andrej wrote: 2009/2/24 John Summerfield : Windows is a little more difficult, I need a Linux boot disk and the right program, and if it's a domain controller there's another trick after that. I can assure you that w/o a boot disk, and a second-stage password entered after login for an encrypted file-system you won't be touching any important data on any of my Linux machines. Of course, for servers that need to do their job after an unattended reboot that's not feasible. I suspect encryption isn't going to be popular amongst those who don't have a good reason to hide their stuff, and is likely to be a rule much infringed amongst those who do. Is anyone tracking accidental release of private information on laptops, CDs, USB disks and even hard disks that are lost of disposed of without proper care? I have a laptop whose internal evidence identifies its previous owner (an insurance company) and activities of its user (either an travel clerk or someone who spent _a lot_ of time planning holidays), and a desktop previously owned by an education dept. A couple of Pentium IVs previously owned by a consultancy with an intact installation of Windows XP. One individual was planning on using the CPU serial number to encrypt his data. -- Cheers John -- spambait 1...@coco.merseine.nu z1...@coco.merseine.nu -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Root Password
Erik N Johnson wrote: John, Does it make any difference at all whether I can easily gain control of a Windows box with physical access? Since I can VERY easily gain control of most Windows boxes over any old network they happen to be I don't think you can so easily get control of users' computers I manage:-) Most (82 % or so I read recently) problems on Windows boxes arise because users use administrator accounts for daily tasks. If you've installed Windows XP, even up to SP3, recently you will find it easy to see why they would. Very likely without passwords. I don't use Windows a lot. However, I don't use admin accounts for regular use, I take some care about where I get my software, and I don't engage in filesharing. I also don't use AV software. connected to? I contend that physical security is a MUCH simpler problem to solve than network security. How does OpenBSD stand up to a physical attack? I've never even installed OpenBSD. I've had a quick look at FreeBSD. My first try would be alternative boot media, same as works with Windows. Erik Johnson On Mon, Feb 23, 2009 at 5:37 PM, John Summerfield wrote: Ivan Warren wrote: John Summerfield wrote: This is what I would do, and why I reckon Linux security to be so feeble[1]. One does need to know the commands to mount needed filesystems. [1]Give me your disk or physical access to your computer, and not even your boot-time password's enough. Hmm.. Even boot-time controled whole disk encryption ? May depend on where the key is:-) And, I'd need time for research. Then again.. besides from the above example, it's pretty much true for any system (not only linux).. Windows is a little more difficult, I need a Linux boot disk and the right program, and if it's a domain controller there's another trick after that. Which reminds me, I still have a fight to win against OS X. -- Cheers John -- spambait 1...@coco.merseine.nu �z1...@coco.merseine.nu -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- Cheers John -- spambait 1...@coco.merseine.nu z1...@coco.merseine.nu -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Root Password
Ivan Warren wrote: Mark Post wrote: Of course the kernel did understand the init= parameter. Getting it passed to the kernel at boot time is the issue, and I'm not sure the s390-tools did it, that far back in time. That's where I'm surprised here.. Kernel parameters to the bootloader is just.. a blob ! A kernel loader may doctor the kernel parm 'blob' (in order to insert some specific understood parm).. but it shouldn't change/alter/interpret arbitrary kernel parms specified. For example, in zipl, if in my parm file, I specify "foo=bar", then "foo=bar" is passed to my kernel.. no matter what version of zipl I use.. whether my custom kernel understands the "foo" parameter is none of zipl's business ! As I understand it, earlier versions of zipl didn't allow boot-time overrides, and in its easer forms one needs to be able to change boot-time parameters to get init= in. Also, it used to be possible to boot the kernel without a boot loader. That went out in RHL about when the kernel became too big to fit on a 1.4 Mbyte floppy. -- Cheers John -- spambait 1...@coco.merseine.nu z1...@coco.merseine.nu -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Root Password
sudo su - gives an authorized user a root shell prompt. Then type passwd you will be prompted for your "new" passwd. Not the old one. All set after that. :// Gerard -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Root Password
2009/2/24 John Summerfield : > Windows is a little more difficult, I need a Linux boot disk and the > right program, and if it's a domain controller there's another trick > after that. I can assure you that w/o a boot disk, and a second-stage password entered after login for an encrypted file-system you won't be touching any important data on any of my Linux machines. Of course, for servers that need to do their job after an unattended reboot that's not feasible. But then that's the case for M$ machines as well... > -- > > Cheers > John Cheers, Andrej -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Root Password
John, Does it make any difference at all whether I can easily gain control of a Windows box with physical access? Since I can VERY easily gain control of most Windows boxes over any old network they happen to be connected to? I contend that physical security is a MUCH simpler problem to solve than network security. How does OpenBSD stand up to a physical attack? Erik Johnson On Mon, Feb 23, 2009 at 5:37 PM, John Summerfield wrote: > Ivan Warren wrote: >> >> John Summerfield wrote: >>> >>> This is what I would do, and why I reckon Linux security to be so >>> feeble[1]. One does need to know the commands to mount needed >>> filesystems. >>> >>> [1]Give me your disk or physical access to your computer, and not even >>> your boot-time password's enough. >>> >> Hmm.. Even boot-time controled whole disk encryption ? > > May depend on where the key is:-) And, I'd need time for research. > >> >> Then again.. besides from the above example, it's pretty much true for >> any system (not only linux).. > > Windows is a little more difficult, I need a Linux boot disk and the > right program, and if it's a domain controller there's another trick > after that. > > Which reminds me, I still have a fight to win against OS X. > > > > > -- > > Cheers > John > > -- spambait > 1...@coco.merseine.nu z1...@coco.merseine.nu > -- Advice > http://webfoot.com/advice/email.top.php > http://www.catb.org/~esr/faqs/smart-questions.html > http://support.microsoft.com/kb/555375 > > You cannot reply off-list:-) > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or > visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Root Password
Mark Post wrote: Of course the kernel did understand the init= parameter. Getting it passed to the kernel at boot time is the issue, and I'm not sure the s390-tools did it, that far back in time. That's where I'm surprised here.. Kernel parameters to the bootloader is just.. a blob ! A kernel loader may doctor the kernel parm 'blob' (in order to insert some specific understood parm).. but it shouldn't change/alter/interpret arbitrary kernel parms specified. For example, in zipl, if in my parm file, I specify "foo=bar", then "foo=bar" is passed to my kernel.. no matter what version of zipl I use.. whether my custom kernel understands the "foo" parameter is none of zipl's business ! --Ivan -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 smime.p7s Description: S/MIME Cryptographic Signature
Re: Root Password
John Summerfield wrote: Windows is a little more difficult, I need a Linux boot disk and the right program, and if it's a domain controller there's another trick after that. Which reminds me, I still have a fight to win against OS X. And then again.. It also depends whether you are trying to access the data on the offending system or trying to IPL/boot it with its original OS.. --Ivan -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 smime.p7s Description: S/MIME Cryptographic Signature
Re: Root Password
>>> On 2/23/2009 at 6:36 PM, Ivan Warren wrote: > And if the kernel shipped with SLES 7.2 doesn't understand 'init=', then i> t can't be used (regardless of the boot loader). Of course the kernel did understand the init= parameter. Getting it passed to the kernel at boot time is the issue, and I'm not sure the s390-tools did it, that far back in time. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Root Password
Ivan Warren wrote: John Summerfield wrote: This is what I would do, and why I reckon Linux security to be so feeble[1]. One does need to know the commands to mount needed filesystems. [1]Give me your disk or physical access to your computer, and not even your boot-time password's enough. Hmm.. Even boot-time controled whole disk encryption ? May depend on where the key is:-) And, I'd need time for research. Then again.. besides from the above example, it's pretty much true for any system (not only linux).. Windows is a little more difficult, I need a Linux boot disk and the right program, and if it's a domain controller there's another trick after that. Which reminds me, I still have a fight to win against OS X. -- Cheers John -- spambait 1...@coco.merseine.nu z1...@coco.merseine.nu -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Root Password
John Summerfield wrote: For completeness for the ignorant, whether that option is available depends on the boot loader, not on Linux. Since the choice of bootloader depends on the platform, translating Mark's reply to other platform is risky. Excusez moi ? understanding the 'init=' boot kernel parameter *IS* dependent on the kernel understanding this particular parameter and NOT the bootloader understanding what it means! The bootloader is responsible to pass the kernel parameters to the kernel... *NOT* to understand their semantics ! And the 'init=' is relevant to the kernel since it is the kernel that will spawn the 1st user mode process (aka : init).. And being able to indicate which binary executable to run (instead of the default.. which has evolved over time - but was originally - believe it or not - /etc/init !) for this user mode process *IS* the responsibility of the kernel (and not the boot loader - which only responsibility - for a linux bootloader - is to 1) load the kernel, 2) invoke the kernel 3) with indications of what the initialization parameters are) And if the kernel shipped with SLES 7.2 doesn't understand 'init=', then it can't be used (regardless of the boot loader).. Of course, it should *ALWAYS* understand 'root=' !.. So just prop in a custom made root filesystem (with it's own init - which may allow the person in control of the console to use a shell) - a kernel that knows how to mount the root filesystem of the broken system.. do whatever needs to be done then.. and you're done ! --Ivan -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 smime.p7s Description: S/MIME Cryptographic Signature
Re: Root Password
Mark Post wrote: On 2/23/2009 at 1:07 PM, Jack Woehr wrote: -snip- http://www.linuxquestions.org/questions/linux-software-2/forgot-password-suse-lin ux-10-434891/ "And there's also the (easiest) option of booting with "init=/bin/bash" which lets you become root ..." I'm pretty sure that option wasn't available that far back. For completeness for the ignorant, whether that option is available depends on the boot loader, not on Linux. Since the choice of bootloader depends on the platform, translating Mark's reply to other platform is risky. Time to evaluate the SLES 10 starter system. -- Cheers John -- spambait 1...@coco.merseine.nu z1...@coco.merseine.nu -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Root Password
John Summerfield wrote: This is what I would do, and why I reckon Linux security to be so feeble[1]. One does need to know the commands to mount needed filesystems. [1]Give me your disk or physical access to your computer, and not even your boot-time password's enough. Hmm.. Even boot-time controled whole disk encryption ? Then again.. besides from the above example, it's pretty much true for any system (not only linux).. --Ivan -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 smime.p7s Description: S/MIME Cryptographic Signature
Re: Root Password
Jack Woehr wrote: Kittendorf, Craig X. wrote: Hi, I just started back at a shop with SuSE 7.2 installed in an LPAR on a z10 and no experienced sysadmin. The root password was changed and no one knows what it is. We do not have VM, another Linux LPAR, or the installation materials. Is there a way to resolve this? http://www.linuxquestions.org/questions/linux-software-2/forgot-password-suse-linux-10-434891/ "And there's also the (easiest) option of booting with "init=/bin/bash" which lets you become root ..." This is what I would do, and why I reckon Linux security to be so feeble[1]. One does need to know the commands to mount needed filesystems. [1]Give me your disk or physical access to your computer, and not even your boot-time password's enough. -- Jack J. Woehr# I run for public office from time to time. It's like http://www.well.com/~jax # working out at the gym, you sweat a lot, don't get http://www.softwoehr.com # anywhere, and you fall asleep easily afterwards. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- Cheers John -- spambait 1...@coco.merseine.nu z1...@coco.merseine.nu -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Root Password
This may sound really off the wall, but what is ZZSA's opinion of zLinux DASD? Could it be used to "zap" the root password? Dave Gibney Information Technology Services Washington State University > -Original Message- > From: Linux on 390 Port [mailto:linux-...@vm.marist.edu] On Behalf Of > Mark Post > Sent: Monday, February 23, 2009 10:34 AM > To: LINUX-390@VM.MARIST.EDU > Subject: Re: Root Password > > >>> On 2/23/2009 at 1:07 PM, Jack Woehr wrote: > -snip- > > http://www.linuxquestions.org/questions/linux-software-2/forgot- > password-suse-lin > > ux-10-434891/ > > > > "And there's also the (easiest) option of booting with > "init=/bin/bash" > > which lets you become root ..." > > I'm pretty sure that option wasn't available that far back. > > > Mark Post > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 > or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Root Password
>>> On 2/23/2009 at 1:07 PM, Jack Woehr wrote: -snip- > http://www.linuxquestions.org/questions/linux-software-2/forgot-password-suse-lin > ux-10-434891/ > > "And there's also the (easiest) option of booting with "init=/bin/bash" > which lets you become root ..." I'm pretty sure that option wasn't available that far back. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Root Password
Kittendorf, Craig X. wrote: Hi, I just started back at a shop with SuSE 7.2 installed in an LPAR on a z10 and no experienced sysadmin. The root password was changed and no one knows what it is. We do not have VM, another Linux LPAR, or the installation materials. Is there a way to resolve this? http://www.linuxquestions.org/questions/linux-software-2/forgot-password-suse-linux-10-434891/ "And there's also the (easiest) option of booting with "init=/bin/bash" which lets you become root ..." -- Jack J. Woehr# I run for public office from time to time. It's like http://www.well.com/~jax # working out at the gym, you sweat a lot, don't get http://www.softwoehr.com # anywhere, and you fall asleep easily afterwards. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Root Password
>>> On 2/23/2009 at 11:47 AM, "Kittendorf, Craig X." wrote: > Hi, > > I just started back at a shop with SuSE 7.2 installed in an LPAR on a > z10 and no experienced sysadmin. The root password was changed and no > one knows what it is. We do not have VM, another Linux LPAR, or the > installation materials. Is there a way to resolve this? Download another copy of SLES and use the installation files from there as a rescue system. Then upgrade! (I know, that probably won't fly, but sheesh! Money to spend on a z10, but not to keep the software updated?) Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Root Password
Does anyone have SUDO authority without password? On Mon, Feb 23, 2009 at 11:47 AM, Kittendorf, Craig X. < kittendorf.cr...@mail.dc.state.fl.us> wrote: > Hi, > > I just started back at a shop with SuSE 7.2 installed in an LPAR on a > z10 and no experienced sysadmin. The root password was changed and no > one knows what it is. We do not have VM, another Linux LPAR, or the > installation materials. Is there a way to resolve this? > > Thanks, > Craig > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or > visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > -- Mark Pace Mainline Information Systems 1700 Summit Lake Drive Tallahassee, FL. 32317 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Root Password
Hi, I just started back at a shop with SuSE 7.2 installed in an LPAR on a z10 and no experienced sysadmin. The root password was changed and no one knows what it is. We do not have VM, another Linux LPAR, or the installation materials. Is there a way to resolve this? Thanks, Craig -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: linux error during IPL requesting root password
Felipe Bannwart Perina wrote: > Hello all! > > Whenever one of our linux system crashes during IPL, I get this message: > > fsck failed for at least one filesystem (not /). > Please repair manually and reboot. > The root file system is is already mounted read-write. Does this happen often? I'd be kinda concerned if it does. Are they journaled filesystems? Marcy "This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation." -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: linux error during IPL requesting root password
Felipe Bannwart Perina wrote: Hello all! Whenever one of our linux system crashes during IPL, I get this message: fsck failed for at least one filesystem (not /). Please repair manually and reboot. The root file system is is already mounted read-write. Attention: Only CONTROL-D will reboot the system in this maintanance mode. shutdown or reboot will not work. Give root password for login: Problem is, after our systems are running we don't have that password anymore. This means I have to open a request that requires aproval so someone can e-mail me that freaking password... That can take hours, and as Murphy's Laws state, it usually happens on systems that can't be down more than a few minutes. Seriously now, since we are running linux under VMs, we already have a safe environment and really don't need this kind of control. Is there any way I can disable this request for a root password on linux? Thank you all in advance. I was just going to tell you to read the scripts and see where sulogin's used and change it to /bin/bash, but as Mark says, it really is an administrative problem. Ask those with power to make decisions whether this is the way it must be. There are several ways around the password prompt, often booting with "init=/bin/sh" is the easiest. Use of an alternative system, as John suggests, is another. However you do it, once you're root there are few restrictions on what you can do, so you need an approved procedure to gain root access. If it involves hours of downtime, someone in authority needs to choose that. Auditors too. -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: linux error during IPL requesting root password
> -Original Message- > From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On > Behalf Of Felipe Bannwart Perina > Sent: Tuesday, June 10, 2008 1:39 PM > To: LINUX-390@VM.MARIST.EDU > Subject: linux error during IPL requesting root password > > Hello all! > > Whenever one of our linux system crashes during IPL, I get > this message: > > fsck failed for at least one filesystem (not /). > Please repair manually and reboot. > The root file system is is already mounted read-write. > > Attention: Only CONTROL-D will reboot the system in this > maintanance mode. shutdown or reboot will not work. > > Give root password for login: > > Problem is, after our systems are running we don't have that password > anymore. This means I have to open a request that requires aproval so > someone can e-mail me that freaking password... That can take > hours, and > as Murphy's Laws state, it usually happens on systems that > can't be down > more than a few minutes. Seriously now, since we are running > linux under > VMs, we already have a safe environment and really don't need > this kind of > control. Is there any way I can disable this request for a > root password > on linux? > > Thank you all in advance. > > > Felipe Bannwart Perina Use another, active, z/Linux. LOGOFF the failing guest. LINK the appropriate mini disk to the active guest. Do the fsck on that guest. DETACH the other z/Linux's minidisk from your recovery z/Linux guest. LOGON the previously failed z/Linux guest. I think the above should work. Except, of course, if you are using LVM or something like that. Then it is more complicated. Perhaps have a dedicate "recovery" z/Linux system stashed around somewhere to do the above. -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology The information contained in this e-mail message may be privileged and/or confidential. It is for intended addressee(s) only. If you are not the intended recipient, you are hereby notified that any disclosure, reproduction, distribution or other use of this communication is strictly prohibited and could, in certain circumstances, be a criminal offense. If you have received this e-mail in error, please notify the sender by reply and delete this message without copying or disclosing it. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: linux error during IPL requesting root password
>>> On Tue, Jun 10, 2008 at 2:38 PM, in message <[EMAIL PROTECTED]>, Felipe Bannwart Perina <[EMAIL PROTECTED]> wrote: > Hello all! > > Whenever one of our linux system crashes during IPL, I get this message: > > fsck failed for at least one filesystem (not /). > Please repair manually and reboot. > The root file system is is already mounted read-write. > > Attention: Only CONTROL-D will reboot the system in this > maintanance mode. shutdown or reboot will not work. > > Give root password for login: > > Problem is, after our systems are running we don't have that password > anymore. This means I have to open a request that requires aproval so > someone can e-mail me that freaking password... That can take hours, and > as Murphy's Laws state, it usually happens on systems that can't be down > more than a few minutes. Seriously now, since we are running linux under > VMs, we already have a safe environment and really don't need this kind of > control. Is there any way I can disable this request for a root password > on linux? If you don't have the root password for the system, then I would think you're not responsible for the system. Emailing root passwords around? You should be glad I'm not the auditor for your site. If your security policies dictate that you cannot have the root password for systems you are (theoretically) responsible for, then I doubt very much they're going to be willing to let you disable that prompt. Your neck, I suppose, if you modify /etc/init.d/boot.localfs. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
linux error during IPL requesting root password
Hello all! Whenever one of our linux system crashes during IPL, I get this message: fsck failed for at least one filesystem (not /). Please repair manually and reboot. The root file system is is already mounted read-write. Attention: Only CONTROL-D will reboot the system in this maintanance mode. shutdown or reboot will not work. Give root password for login: Problem is, after our systems are running we don't have that password anymore. This means I have to open a request that requires aproval so someone can e-mail me that freaking password... That can take hours, and as Murphy's Laws state, it usually happens on systems that can't be down more than a few minutes. Seriously now, since we are running linux under VMs, we already have a safe environment and really don't need this kind of control. Is there any way I can disable this request for a root password on linux? Thank you all in advance. Felipe Bannwart Perina -- IBM - Server Systems Operations - Hortolândia - Brasil Mainframe Support - z/Linux Phone: +55 (19) 2132 - 1937 / T/L: 839 - 1937 E-mail: [EMAIL PROTECTED] -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
On Wed, 16 Apr 2008, Patrick Spinler wrote: Hi, Malcolm Beattie wrote: | | Quick plug: I'll be covering Linux native tools for auditing | (auditd/auditctl), accounting (acct/sa) and other things beginning | with "A"[1] in my technical session at the z Tech Conference in | Dresden next month. | | There are trade-offs involved in enabling such things but if you | really want to audit everything root does, you can. | Looked at these. Just wished there was an easy and obvious way to send audit records to syslog, and thus off-node. The obvious reason you do not want this is that syslog is not reliable and you can possibly lose audit records. Further they won't be encrypted and in plaintext on the wire. Last you wouldn't even know if anyone had tampered with them when you received them on the destination. Spoofing UDP can be really easy. If you want to remote audit records for postprocessing or keeping them around, either do it batched as in log shipping with in secure and realiable way or use an encrypted reliable transport stream with spooling to handle times when the receiver is not available/reachable, etc... /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Malcolm Beattie wrote: | | Quick plug: I'll be covering Linux native tools for auditing | (auditd/auditctl), accounting (acct/sa) and other things beginning | with "A"[1] in my technical session at the z Tech Conference in | Dresden next month. | | There are trade-offs involved in enabling such things but if you | really want to audit everything root does, you can. | Looked at these. Just wished there was an easy and obvious way to send audit records to syslog, and thus off-node. As far as I can tell from the man pages, though, while auditd will report it's own operational errors to syslog, there's no option to write audit records there. Yes, I know, it stores them by default in binary format. Yes, I know it's possible to whip up some post processing script to do what I want. ~ Unfortunately, such hacked together solutions are never as clean as properly coded application support ... This is one specific function where Solaris already has it: http://docs.sun.com/app/docs/doc/816-5175/audit-syslog-5?a=view - -- Pat -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIBqTtNObCqA8uBswRAs6RAKCYv7hJ99gkjrwC0RNTMCL5bUTE3ACfV/OZ MBPvugy+Y8wAO0rsguYTcRg= =hldL -END PGP SIGNATURE- -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
The root of this problem is that "Linux" is only the kernel. Red Hat, SuSE, etc. are distributions that package the Linux kernel with various utilities (mostly GNU). Since they do their own compiling and configuration of the utilities some of the defaults are different. -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] Behalf Of RPN01 Sent: Wednesday, April 16, 2008 5:27 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: recover root password This is one of the problems I've had learning Linux: There are Linux defaults, and then there are different defaults created by the various distributions, and it's hard to tell which are which. Linux is a single operating system that never acts the same from machine to machine (much like Windows, but for different reasons). -- Robert P. Nix Mayo Foundation.~. RO-OE-5-55 200 First Street SW/V\ 507-284-0844 Rochester, MN 55905 /( )\ -^^-^^ "In theory, theory and practice are the same, but in practice, theory and practice are different." On 4/15/08 4:20 PM, "John Summerfield" <[EMAIL PROTECTED]> wrote: > RPN01 wrote: >> By default, sudo expects root's password. > > That is not what the man page says, It _is_ the way SUSE configures it. > -- > > Cheers > John > -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 __ CONFIDENTIALITY NOTICE: This email from the State of California is for the sole use of the intended recipient and may contain confidential and privileged information. Any unauthorized review or use, including disclosure or distribution, is prohibited. If you are not the intended recipient, please contact the sender and destroy all copies of this email. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
This is one of the problems I've had learning Linux: There are Linux defaults, and then there are different defaults created by the various distributions, and it's hard to tell which are which. Linux is a single operating system that never acts the same from machine to machine (much like Windows, but for different reasons). -- Robert P. Nix Mayo Foundation.~. RO-OE-5-55 200 First Street SW/V\ 507-284-0844 Rochester, MN 55905 /( )\ -^^-^^ "In theory, theory and practice are the same, but in practice, theory and practice are different." On 4/15/08 4:20 PM, "John Summerfield" <[EMAIL PROTECTED]> wrote: > RPN01 wrote: >> By default, sudo expects root's password. > > That is not what the man page says, It _is_ the way SUSE configures it. > -- > > Cheers > John > -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
McKown, John wrote: -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of John Summerfield Sent: Monday, April 14, 2008 5:34 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: recover root password [snip] Red Hat expects administrators to know and use root's password. That's what su does. SUSE expects administrators to know and use root's password. It configures sudo to work that way. Strange. On my OpenSUSE at home, it asks for my password, not root's password. Then you must have changed it, as I did. This is from the distributed configuration on 10.3: Defaults targetpw # ask for the password of the target user i.e. root I verified it: 05:45 [EMAIL PROTECTED] tmp]$ rpm2cpio Until the vendors change their approach, administrators are going to be working that way. That can be fixed by the administrator using visudo to change It can be, but most people will assume the vendor has it right until they learn otherwise. Did _you_ go through every bit of your opensuse configuration to ensure it's sane, according to your own beliefs? /etc/sudoers. Granted, another customization that the vendor should do. Perhaps. But you know how much people will scream "why did that CHANGE" if the vendor does it. Ubuntu used sudo from the beginning. I don't recall any controversy over it. I imagine that when RH/SUSE does it, they will document it in the release notes and other documentation, and when people challenge it, point them at the documentation. The only Linux distribution that expects administrators to use their own password is Ubuntu, and while it's based off Debian that is available for IBM mainframes, Ubuntu isn't yet. One can also login as root without password if ssh is so configured. Hopefully you mean with a cert instead of a password. I don't know of anyone who's implemented ssh to allow login without _some_ credentials. -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Rob van der Heij wrote: More convenient IMHO is to have another running Linux server reach out to the disks of the dead server and mount them. That way you have all the tools you need to fix things (though it may be that current LVM-tools have a strong one-system mindset). Folk on RH/Fedora lists have complained long about filesystem labels, and LVM names are fully as good at causing grief. Help is at hand, we're going to oh-so-long UUIDs now. There's a change in LVM names too. Oh joy! -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Bjoern A. Zeeb wrote: On Mon, 14 Apr 2008, Miguel Roman wrote: Hi, so, all I read was that you had to take down/reboot the linux system to recover. The days I last used linux (on intel that was) you could simply boot into single user mode and got a shell once / was mounted without being asked for a password. Whether that works depends on the distro, some try to impede folk by using sulogin (great fun when a manual fsck is necessary). If you can boot without password, sulogin is a lost cause. Boot with this option: ... init=/bin/bash and be prepared to find and mount the filesystems yourself. Then reboot. If the bootloader uses a password, that's usually futile too: 1. Boot from CD or similar. A grub floppy will do on intellish hardware. 2. Remove drive and have at it in another system. The Fedora project is working on installing to encrypted disk, that should be available in f9 (which is now in beta). ps fc3 was about RHEL4 fc6 was about RHEL5 fc9 ?? Will it be? Could it be? You change your password and continue to the boot to get to multi user. So now I have no idea if - is it possible to boot into single user mode easily from VM? - the distributions do ask for a password (the root password) these days before you get the shell in single user mode? The advantage of this concept was that it was pretty damn fast if you had too reboot anyway and you didn't need any 2nd system and do mounts and chroot and all that. Some BSD systems have a second priviledged user called 'toor' btw. You could easily setup a password for that user at install time, write it down put it into a safe and you wouldn't even have to reboot ... but setting up sudo properly, as said by others, should be a better choice these days. I managed to lose the password file once. I was very relieved when I realised 1. I had an active vnc session 2. I don't have good vnc passwords (the ungodly don't get close enough to test them). A vnc session through my modem was better than a car journey. -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Malcolm Beattie wrote: RPN01 writes: To be completely compliant, everything done by / with root will need to be logged, showing what was done, and by whom. Can you do that now, with two or more people logging into root? Can you do it with even one person logging into root? Not on any distribution I know today. Quick plug: I'll be covering Linux native tools for auditing (auditd/auditctl), accounting (acct/sa) and other things beginning with "A"[1] in my technical session at the z Tech Conference in Dresden next month. There are trade-offs involved in enabling such things but if you really want to audit everything root does, you can. --Malcolm [1] ACLs and Activity reporting. While composing an earlier reply, I was thinking of suggesting ACLs (and read the man page). I thought of two disadvantages 1. Logging, which you say can be don 2. Password prompt. What do enterprise users think? -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
RPN01 wrote: By default, sudo expects root's password. That is not what the man page says, It _is_ the way SUSE configures it. -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Rob van der Heij wrote: On Tue, Apr 15, 2008 at 12:34 AM, John Summerfield <[EMAIL PROTECTED]> wrote: Until the vendors change their approach, administrators are going to be working that way. But isn't that why folks bother to hang out on mailing lists and learn how to improve their way of working? Sure. How many do you know of who don't hang out on these lists? I consider the default setup maybe the easiest way to get started, but Lots of people reckon Apple does a good job on UI design. By default, root on OS X is locked, and users who have administrative rights use their own password. That's probably why Ubuntu does it that way, white a few of the (early) techos were Apple fans. not necessarily the best approach to run your system. My expectations of an end-user system are different. If you have someone install just one or two systems, you want the installer to do most things right and let the user resume his real work. But with professionals doing installs as their job, I'd expect them to know the requirements better than the vendor. Bonus points for installers that let you tweak the process rather than fight it (I have bad memories of YaST re-install some products each time it could). Over time, there have been arguments on RH lists that RH wasn't doing enough to make systems as secure they should be, and criticising RH practices. I remember complaining about many rpms that could only be built by root - the kernel was the last I recall, and at the time the build process was creating a device entry. RH has learned and generally has done things fairly well long enough that Brad may be surprised to read this:-) We used to have IBM products with installation instructions like this: CP MSG OPERATOR PLEASE MOUNT TAPE CP WNG ALL MAINTENANCE WILL BEGIN ! REW 181 Even though these are actual commands, I believe they should not be taken literally as the maintenance procedure in any shop. I used to install a lot of third-party stuff on MVS; I learned to use salt when reading instructions. -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Hey, didn't we talk about this stuff a few weeks ago on the phone?
Anyway, we have a unix/linux product in lieu of sudo (on every place but
zLinux at the moment due to vendor support, but that is changing real
soon now) that key stroke logs (to a remote server) every thing one does
while running as root, because, like Alan said, you can do things like
turn off audit and destroy logs, or change the root pw, grant someone
else, etc.
While logonby is great and we use it all the time with byonly userids
and never ever share a password on VM, we still really can't tell those
who care about SOX what someone did when they logged into MAINT or
VMSECURE or RACFVM if he's your guy. You can't even use last changed
date on minidisks, because, well there is DDR! z/VM doesn't really have
anything in place to protect you from your sysprog (or at least read
about it after the fact), unlike the other o/s's that at least give the
illusion that they can.
Marcy Cortes
"This message may contain confidential and/or privileged information. If
you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or take any action based on
this message or any information herein. If you have received this
message in error, please advise the sender immediately by reply e-mail
and delete this message. Thank you for your cooperation."
-Original Message-
From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of
Alan Altmark
Sent: Tuesday, April 15, 2008 10:39 AM
To: LINUX-390@VM.MARIST.EDU
Subject: Re: [LINUX-390] recover root password
Bob Nix wrote:
> Anyone sticking to the "I have to have root!" model of system
> administration is leaving themselves open to a huge awakening as
> Sarbanes-Oxley and other regulations overtake us. While we aren't
> required by law to conform to Sarbanes-Oxley, we've chosen to bring
> ourselves as close as we possibly can.
The are also living in the Dark Ages.
> One of the requirements is that what is done to your systems is done
> with accountability. To be completely compliant, everything done by /
with
> root will need to be logged, showing what was done, and by whom. Can
> you
do
> that now, with two or more people logging into root? Can you do it
> with
even
> one person logging into root? Not on any distribution I know today. So
you
> aren't compliant, and will be pinged on your audit, and if you're
> required to be S-O compliant, you're leaving your company open to
> legal
action.
It is heartwarming, after a fashion, to see this discussion. I forget:
When did we introduce LOGON BY to z/VM? The requirement for
accountability is not driven by law, but by Good Business Practices,
with an eye towards long-term survival. (The fact that we had to have
laws to tell people that they must use Good Business Practices speaks
volumes about our society and its [lack of] values. :-( )
One of the reasons the mainframes have endured for so long is because, I
believe, its purchasers' continued adherence to rigid change control
practices. "Time is money. So if you screw up a change, you cost us
money." This was all before S-O & Co.
Give someone root authority, but make them say "Give me root authority.
Here are my credentials. If you'll check your e-clipboard, you'll that
I'm On The List." (Of course, not REALLY root authority. E.g. no
ability to grant root to someone else or to turn off security
subsystems,
auditing, etc. "Dinosaurs can cause serious injury or death" is not
the
only message to take from the movie Jurassic Park.)
If I was working as a sysadmin, the number of admins was > 1 and all I
had was "root", I'd be screaming from the rafters. Like my company, I
want protection from the actions of others ("plausible denability").
Don't give me root's password - I don't want to know it.
Alan Altmark
z/VM Development
IBM Endicott
--
For LINUX-390 subscribe / signoff / archive access instructions, send
email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or
visit http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Bob Nix wrote:
> Anyone sticking to the "I have to have root!" model of system
> administration is leaving themselves open to a huge awakening
> as Sarbanes-Oxley and other
> regulations overtake us. While we aren't required by law to conform to
> Sarbanes-Oxley, we've chosen to bring ourselves as close as we possibly
> can.
The are also living in the Dark Ages.
> One of the requirements is that what is done to your systems is done
> with accountability. To be completely compliant, everything done by /
with
> root will need to be logged, showing what was done, and by whom. Can you
do
> that now, with two or more people logging into root? Can you do it with
even
> one person logging into root? Not on any distribution I know today. So
you
> aren't compliant, and will be pinged on your audit, and if you're
> required to be S-O compliant, you're leaving your company open to legal
action.
It is heartwarming, after a fashion, to see this discussion. I forget:
When did we introduce LOGON BY to z/VM? The requirement for
accountability is not driven by law, but by Good Business Practices, with
an eye towards long-term survival. (The fact that we had to have laws to
tell people that they must use Good Business Practices speaks volumes
about our society and its [lack of] values. :-( )
One of the reasons the mainframes have endured for so long is because, I
believe, its purchasers' continued adherence to rigid change control
practices. "Time is money. So if you screw up a change, you cost us
money." This was all before S-O & Co.
Give someone root authority, but make them say "Give me root authority.
Here are my credentials. If you'll check your e-clipboard, you'll that
I'm On The List." (Of course, not REALLY root authority. E.g. no ability
to grant root to someone else or to turn off security subsystems,
auditing, etc. "Dinosaurs can cause serious injury or death" is not the
only message to take from the movie Jurassic Park.)
If I was working as a sysadmin, the number of admins was > 1 and all I had
was "root", I'd be screaming from the rafters. Like my company, I want
protection from the actions of others ("plausible denability"). Don't
give me root's password - I don't want to know it.
Alan Altmark
z/VM Development
IBM Endicott
--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Even though I don't do Linux work...I agree with Robert here. Now, it would be a nice feature on the Linux installs, I would imagine, if RH and Novell and others made it easy to set this up as the install was running. At least as far as setting up one admin account/password etc. Kevin -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of RPN01 Sent: Tuesday, April 15, 2008 9:56 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: recover root password By default, sudo expects root's password. But, it can be easily configured to expect the user to enter his own password instead. It's a one line change. RedHat and SuSE expect administrators to use the root account because "It's always been done that way." But, when you have more than one administrator, and especially if you have more than a hand-full, like six to fifteen, then doing so gives you no accountability for what has been done to your systems. Anyone sticking to the "I have to have root!" model of system administration is leaving themselves open to a huge awakening as Sarbanes-Oxley and other regulations overtake us. While we aren't required by law to conform to Sarbanes-Oxley, we've chosen to bring ourselves as close as we possibly can. One of the requirements is that what is done to your systems is done with accountability. To be completely compliant, everything done by / with root will need to be logged, showing what was done, and by whom. Can you do that now, with two or more people logging into root? Can you do it with even one person logging into root? Not on any distribution I know today. So you aren't compliant, and will be pinged on your audit, and if you're required to be S-O compliant, you're leaving your company open to legal action. Just because it's the way RedHat or SuSE does it doesn't make it the standard. You need it for the installation, which may be why both RedHat and SuSE are set up that way. It doesn't mean you have to stay that way once the system is up and running. You change other things on the system after the install, so I don't see the reasoning of holding up the standard that "It comes that way, so it should stay that way." That doesn't make any sense. I stand by my statement: Get out of root as soon as you possibly can after the install, and stay out of root as much as you possibly can. Complain to vendors when they force you to use root to install their products. Complain to vendors that force you to run their product as root. These are practices that shortly will not be acceptable. And the time shortens every time some retailer loses thousands of credit card records. We didn't lose that information, but we're the ones that it is easiest to go to and say "You've got to improve security! You have to have accountability!" So we're the ones that will ultimately pay the price. I predict that this will be one of the costs in the short term. Anyone willing to bet a coke on it? -- Robert P. Nix Mayo Foundation.~. RO-OE-5-55 200 First Street SW/V\ 507-284-0844 Rochester, MN 55905 /( )\ -^^-^^ "In theory, theory and practice are the same, but in practice, theory and practice are different." On 4/14/08 5:34 PM, "John Summerfield" <[EMAIL PROTECTED]> wrote: > RPN01 wrote: >> Would it be the wrong time to suggest that, once you have the system >> installed, up and running, nobody should ever log in as root, except in dire >> or unavoidable circumstances. >> >> Once you have the system, give your system administration group sudo all >> privs. Then just don't log into root at all. This gives you accountability > > Red Hat expects administrators to know and use root's password. That's > what su does. > > SUSE expects administrators to know and use root's password. It > configures sudo to work that way. > > Until the vendors change their approach, administrators are going to be > working that way. > > The only Linux distribution that expects administrators to use their own > password is Ubuntu, and while it's based off Debian that is available > for IBM mainframes, Ubuntu isn't yet. > > > > One can also login as root without password if ssh is so configured. > > > > -- > > Cheers > John > > -- spambait > [EMAIL PROTECTED] [EMAIL PROTECTED] > -- Advice > http://webfoot.com/advice/email.top.php > http://www.catb.org/~esr/faqs/smart-questions.html > http://support.microsoft.com/kb/555375 > > You cannot reply off-list:-) > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > se
Re: recover root password
RPN01 writes: > To be completely compliant, everything done by / with root > will need to be logged, showing what was done, and by whom. Can you do that > now, with two or more people logging into root? Can you do it with even one > person logging into root? Not on any distribution I know today. Quick plug: I'll be covering Linux native tools for auditing (auditd/auditctl), accounting (acct/sa) and other things beginning with "A"[1] in my technical session at the z Tech Conference in Dresden next month. There are trade-offs involved in enabling such things but if you really want to audit everything root does, you can. --Malcolm [1] ACLs and Activity reporting. -- Malcolm Beattie System z SWG/STG, Europe IBM UK -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
> (Is there a s390[x] implementation of selinux? Just wondering. I don't > even know how to *capitalize* selinux.) Yes. Both major vendors and Debian ship it loaded, but with SELinux functions turned off or warn-only due to the massive impact of how it changes the behavior of the system. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
On Tue, 2008-04-15 at 08:56 -0500, RPN01 wrote: > Anyone willing to bet a coke on it? Never touch the stuff. While I take your point about staying out of root insofar as possible, there are other ways to compartmentalize our systems: virtualization, r/o filesystems in dedicated partitions, chroots, FBSD-style jails, xBSD-style securelevels all come to mind. We can mitigate the situation when vendors "force" us to use root. (Is there a s390[x] implementation of selinux? Just wondering. I don't even know how to *capitalize* selinux.) -- David Andrews A. Duda and Sons, Inc. [EMAIL PROTECTED] -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
On Tue, Apr 15, 2008 at 3:56 PM, RPN01 <[EMAIL PROTECTED]> wrote: > RedHat and SuSE expect administrators to use the root account because "It's > always been done that way." But, when you have more than one administrator, > and especially if you have more than a hand-full, like six to fifteen, then > doing so gives you no accountability for what has been done to your systems. We found the "there is no root password" was much more acceptable to the developers. Too often a response like "you cannot have it" made them come back later complaining this was the reason their project was late, with a big badge joining them to twist our arms. Actually, our users did not have passwords either. We relied entirely on cryptic keys via SSH and LDAP. Most harmful things can be done with sudo as well (we even controlled it by LDAP rather than passwords). And you could always run a shell under sudo, but it would reveal who was inside. Rob -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
By default, sudo expects root's password. But, it can be easily configured to expect the user to enter his own password instead. It's a one line change. RedHat and SuSE expect administrators to use the root account because "It's always been done that way." But, when you have more than one administrator, and especially if you have more than a hand-full, like six to fifteen, then doing so gives you no accountability for what has been done to your systems. Anyone sticking to the "I have to have root!" model of system administration is leaving themselves open to a huge awakening as Sarbanes-Oxley and other regulations overtake us. While we aren't required by law to conform to Sarbanes-Oxley, we've chosen to bring ourselves as close as we possibly can. One of the requirements is that what is done to your systems is done with accountability. To be completely compliant, everything done by / with root will need to be logged, showing what was done, and by whom. Can you do that now, with two or more people logging into root? Can you do it with even one person logging into root? Not on any distribution I know today. So you aren't compliant, and will be pinged on your audit, and if you're required to be S-O compliant, you're leaving your company open to legal action. Just because it's the way RedHat or SuSE does it doesn't make it the standard. You need it for the installation, which may be why both RedHat and SuSE are set up that way. It doesn't mean you have to stay that way once the system is up and running. You change other things on the system after the install, so I don't see the reasoning of holding up the standard that "It comes that way, so it should stay that way." That doesn't make any sense. I stand by my statement: Get out of root as soon as you possibly can after the install, and stay out of root as much as you possibly can. Complain to vendors when they force you to use root to install their products. Complain to vendors that force you to run their product as root. These are practices that shortly will not be acceptable. And the time shortens every time some retailer loses thousands of credit card records. We didn't lose that information, but we're the ones that it is easiest to go to and say "You've got to improve security! You have to have accountability!" So we're the ones that will ultimately pay the price. I predict that this will be one of the costs in the short term. Anyone willing to bet a coke on it? -- Robert P. Nix Mayo Foundation.~. RO-OE-5-55 200 First Street SW/V\ 507-284-0844 Rochester, MN 55905 /( )\ -^^-^^ "In theory, theory and practice are the same, but in practice, theory and practice are different." On 4/14/08 5:34 PM, "John Summerfield" <[EMAIL PROTECTED]> wrote: > RPN01 wrote: >> Would it be the wrong time to suggest that, once you have the system >> installed, up and running, nobody should ever log in as root, except in dire >> or unavoidable circumstances. >> >> Once you have the system, give your system administration group sudo all >> privs. Then just don't log into root at all. This gives you accountability > > Red Hat expects administrators to know and use root's password. That's > what su does. > > SUSE expects administrators to know and use root's password. It > configures sudo to work that way. > > Until the vendors change their approach, administrators are going to be > working that way. > > The only Linux distribution that expects administrators to use their own > password is Ubuntu, and while it's based off Debian that is available > for IBM mainframes, Ubuntu isn't yet. > > > > One can also login as root without password if ssh is so configured. > > > > -- > > Cheers > John > > -- spambait > [EMAIL PROTECTED] [EMAIL PROTECTED] > -- Advice > http://webfoot.com/advice/email.top.php > http://www.catb.org/~esr/faqs/smart-questions.html > http://support.microsoft.com/kb/555375 > > You cannot reply off-list:-) > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
another option to recover a root password on recent Linux on Z distros is to supply a replacement init on boot up - like so: zIPL v1.6.0 interactive boot menu 0. default (ipl) 1. ipl 2. Failsafe Note: VM users please use '#cp vi vmsg ' Please choose (default will boot in 10 seconds): #cp vi vmsg 1 init=/bin/bash Linux will start a bash shell instead of the regular init process, you just have to remount your root filesystem in RW mode like so: mount / -o remount,rw and then you can change the root password as needed - or do any other maintenance you want. This trick would probably have helped with the broken CA esm for linux, too, but It didn't occur to me at the time. This also works on PC versions of Linux if no one has set a grub bootloader password. Yet another example of "Physical access trumps all security settings, eventually" -- Jay Brenneman -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
> -Original Message- > From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On > Behalf Of John Summerfield > Sent: Monday, April 14, 2008 5:34 PM > To: LINUX-390@VM.MARIST.EDU > Subject: Re: recover root password [snip] > > Red Hat expects administrators to know and use root's password. That's > what su does. > > SUSE expects administrators to know and use root's password. It > configures sudo to work that way. Strange. On my OpenSUSE at home, it asks for my password, not root's password. > > Until the vendors change their approach, administrators are > going to be > working that way. That can be fixed by the administrator using visudo to change /etc/sudoers. Granted, another customization that the vendor should do. Perhaps. But you know how much people will scream "why did that CHANGE" if the vendor does it. > > The only Linux distribution that expects administrators to > use their own > password is Ubuntu, and while it's based off Debian that is available > for IBM mainframes, Ubuntu isn't yet. > > One can also login as root without password if ssh is so configured. Hopefully you mean with a cert instead of a password. > > -- > > Cheers -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology The information contained in this e-mail message may be privileged and/or confidential. It is for intended addressee(s) only. If you are not the intended recipient, you are hereby notified that any disclosure, reproduction, distribution or other use of this communication is strictly prohibited and could, in certain circumstances, be a criminal offense. If you have received this e-mail in error, please notify the sender by reply and delete this message without copying or disclosing it. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
On Tue, Apr 15, 2008 at 11:33 AM, Bjoern A. Zeeb <[EMAIL PROTECTED]> wrote: > So now I have no idea if > - is it possible to boot into single user mode easily from VM? > - the distributions do ask for a password (the root password) these > days before you get the shell in single user mode? The difference is in having a local console, so Intel distributions that provide this depend on physical access control (or how they wire up the local console into some network gear). But Linux virtual machines on z/VM do not have a console that is attractive to use for repairing the system. So existing solutions end up doing some rescue system that will have a network to let you ssh into the system. I have some concerns using real network IP address etc for that. We've been talking about virtual console switches, but I think it would be overkill considering the other options we already have. More convenient IMHO is to have another running Linux server reach out to the disks of the dead server and mount them. That way you have all the tools you need to fix things (though it may be that current LVM-tools have a strong one-system mindset). Rob -- Rob van der Heij Velocity Software GmbH http://velocitysoftware.com/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
On Mon, 14 Apr 2008, Miguel Roman wrote: Hi, so, all I read was that you had to take down/reboot the linux system to recover. The days I last used linux (on intel that was) you could simply boot into single user mode and got a shell once / was mounted without being asked for a password. You change your password and continue to the boot to get to multi user. So now I have no idea if - is it possible to boot into single user mode easily from VM? - the distributions do ask for a password (the root password) these days before you get the shell in single user mode? The advantage of this concept was that it was pretty damn fast if you had too reboot anyway and you didn't need any 2nd system and do mounts and chroot and all that. Some BSD systems have a second priviledged user called 'toor' btw. You could easily setup a password for that user at install time, write it down put it into a safe and you wouldn't even have to reboot ... but setting up sudo properly, as said by others, should be a better choice these days. Yet, there is another alternative if you are not running on the lastest kernel/patchlevel and need to fix that NOW without a maintenance window. Find a non-harmfull exploit;-) The drawback is that you would want to fix that afterwards but that's what the maintenance window is for... /bz -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT Software is harder than hardware so better get it right the first time. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
On Tue, Apr 15, 2008 at 12:34 AM, John Summerfield <[EMAIL PROTECTED]> wrote: > Until the vendors change their approach, administrators are going to be > working that way. But isn't that why folks bother to hang out on mailing lists and learn how to improve their way of working? I consider the default setup maybe the easiest way to get started, but not necessarily the best approach to run your system. My expectations of an end-user system are different. If you have someone install just one or two systems, you want the installer to do most things right and let the user resume his real work. But with professionals doing installs as their job, I'd expect them to know the requirements better than the vendor. Bonus points for installers that let you tweak the process rather than fight it (I have bad memories of YaST re-install some products each time it could). We used to have IBM products with installation instructions like this: CP MSG OPERATOR PLEASE MOUNT TAPE CP WNG ALL MAINTENANCE WILL BEGIN ! REW 181 Even though these are actual commands, I believe they should not be taken literally as the maintenance procedure in any shop. Rob -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
RPN01 wrote: Would it be the wrong time to suggest that, once you have the system installed, up and running, nobody should ever log in as root, except in dire or unavoidable circumstances. Once you have the system, give your system administration group sudo all privs. Then just don't log into root at all. This gives you accountability Red Hat expects administrators to know and use root's password. That's what su does. SUSE expects administrators to know and use root's password. It configures sudo to work that way. Until the vendors change their approach, administrators are going to be working that way. The only Linux distribution that expects administrators to use their own password is Ubuntu, and while it's based off Debian that is available for IBM mainframes, Ubuntu isn't yet. One can also login as root without password if ssh is so configured. -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
The quickest way is bring down the server that you lost you password using "bootable media" procedure as if you are running on an local box. The difference is that your going to use another linux guest to do the recovery for you. "detach " the minidisk where "/" is resided on "#cp link suse93 mr" from the recovery id mount the partition "mount /dev/?? /mnt " "chroot /mnt" "passwd" "exit" Miguel Roman <[EMAIL PROTECTED] c.com> To Sent by: Linux LINUX-390@VM.MARIST.EDU on 390 Portcc <[EMAIL PROTECTED] IST.EDU> Subject recover root password 04/14/2008 11:03 AM Please respond to Linux on 390 Port <[EMAIL PROTECTED] IST.EDU> Hello, We are running Suse Linux 9.3 (64 bit) under z/VM 5.1. One of the administrators changed the root password and forgot the password. Does anyone know how to recover the root password? Thanks. Miguel A Roman. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 Visit our website at http://www.nyse.com Note: The information contained in this message and any attachment to it is privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to the message, and please delete it from your system. Thank you. NYSE Euronext, Inc. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Would it be the wrong time to suggest that, once you have the system installed, up and running, nobody should ever log in as root, except in dire or unavoidable circumstances. Once you have the system, give your system administration group sudo all privs. Then just don't log into root at all. This gives you accountability for what is being done to your system; You can't tell who logged in as root (ok, you can tell what IP address they were from, but that person can say "Hey! Somebody else used my jack..."), but you can tell who is using sudo. Dire circumstances? Like when you need to log into a semi-brain dead system from the console. Or your normal authorization system (like LDAP) has given up the ghost. Unavoidable circumstances? Like when you need to install a product and it checks that you logged in as root; not that you are root now, but that you actually logged in to the root account. If you're the vendor, then shame on you! It shouldn't matter how I got to be root, and you shouldn't care either, just to install your program. In any case, don't log into root, and you avoid this type of problem. At best, someone will lock themselves out, which might actually be a good thing, given some people. And if you change root's password and forget, you have several semi-root people to call upon to easily fix your mistake. Of course, that doesn't mean that you don't need to change root's password from time to time; you still need to maintain the security and integrity of your system -- Robert P. Nix Mayo Foundation.~. RO-OE-5-55 200 First Street SW/V\ 507-284-0844 Rochester, MN 55905 /( )\ -^^-^^ "In theory, theory and practice are the same, but in practice, theory and practice are different." On 4/14/08 10:42 AM, "David K. Kelly" <[EMAIL PROTECTED]> wrote: > Miguel, > > For things like this VM is the Bomb! Just make the root drive from the > locked server > available for a different Lunix guest, (making sure the one with the > locked out root > account is down) and boot the 2nd guest. Then mount the new disk as /mnt > and cd /mnt/etc > Then edit the /mnt/etc/shadow file and remove the password from the root > account. > Then undo all the previous steps and boot. Fixed. (this is kind of a > quick and > dirty explanation, I can do better if you'd like) > > David K. > > > > > > Marcy Cortes > <[EMAIL PROTECTED] > ellsfargo.com> To > Sent by: Linux on LINUX-390@VM.MARIST.EDU > 390 Port cc > <[EMAIL PROTECTED] > IST.EDU> Subject >Re: recover root password > > 04/14/2008 11:30 > AM > > > Please respond to > Linux on 390 Port > <[EMAIL PROTECTED] > IST.EDU> > > > > > > > > Does anyone have full sudo? > Then you could just > sudo su - > passwd > > And change it. > > Marcy Cortes > > "This message may contain confidential and/or privileged information. If > you are not the addressee or authorized to receive this for the > addressee, you must not use, copy, disclose, or take any action based on > this message or any information herein. If you have received this > message in error, please advise the sender immediately by reply e-mail > and delete this message. Thank you for your cooperation." > > > -Original Message- > From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of > Miguel Roman > Sent: Monday, April 14, 2008 8:03 AM > To: LINUX-390@VM.MARIST.EDU > Subject: [LINUX-390] recover root password > > Hello, > > We are running Suse Linux 9.3 (64 bit) under z/VM 5.1. One of the > administrators changed the root password and forgot the password. Does > anyone know how to recover the root password? Thanks. > > Miguel A Roman. > > > > > -- > For LINUX-390 subscribe / signoff / archive access instructions, send > email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or > visit http://www.marist.edu/htbin/wlvindex?LINUX-390 > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or > visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 >
Re: recover root password
Thank you all for the help. Miguel -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of David K. Kelly Sent: Monday, April 14, 2008 11:43 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: recover root password Miguel, For things like this VM is the Bomb! Just make the root drive from the locked server available for a different Lunix guest, (making sure the one with the locked out root account is down) and boot the 2nd guest. Then mount the new disk as /mnt and cd /mnt/etc Then edit the /mnt/etc/shadow file and remove the password from the root account. Then undo all the previous steps and boot. Fixed. (this is kind of a quick and dirty explanation, I can do better if you'd like) David K. Marcy Cortes <[EMAIL PROTECTED] ellsfargo.com> To Sent by: Linux on LINUX-390@VM.MARIST.EDU 390 Port cc <[EMAIL PROTECTED] IST.EDU> Subject Re: recover root password 04/14/2008 11:30 AM Please respond to Linux on 390 Port <[EMAIL PROTECTED] IST.EDU> Does anyone have full sudo? Then you could just sudo su - passwd And change it. Marcy Cortes "This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation." -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Miguel Roman Sent: Monday, April 14, 2008 8:03 AM To: LINUX-390@VM.MARIST.EDU Subject: [LINUX-390] recover root password Hello, We are running Suse Linux 9.3 (64 bit) under z/VM 5.1. One of the administrators changed the root password and forgot the password. Does anyone know how to recover the root password? Thanks. Miguel A Roman. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Miguel, For things like this VM is the Bomb! Just make the root drive from the locked server available for a different Lunix guest, (making sure the one with the locked out root account is down) and boot the 2nd guest. Then mount the new disk as /mnt and cd /mnt/etc Then edit the /mnt/etc/shadow file and remove the password from the root account. Then undo all the previous steps and boot. Fixed. (this is kind of a quick and dirty explanation, I can do better if you'd like) David K. Marcy Cortes <[EMAIL PROTECTED] ellsfargo.com> To Sent by: Linux on LINUX-390@VM.MARIST.EDU 390 Port cc <[EMAIL PROTECTED] IST.EDU> Subject Re: recover root password 04/14/2008 11:30 AM Please respond to Linux on 390 Port <[EMAIL PROTECTED] IST.EDU> Does anyone have full sudo? Then you could just sudo su - passwd And change it. Marcy Cortes "This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation." -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Miguel Roman Sent: Monday, April 14, 2008 8:03 AM To: LINUX-390@VM.MARIST.EDU Subject: [LINUX-390] recover root password Hello, We are running Suse Linux 9.3 (64 bit) under z/VM 5.1. One of the administrators changed the root password and forgot the password. Does anyone know how to recover the root password? Thanks. Miguel A Roman. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
Does anyone have full sudo? Then you could just sudo su - passwd And change it. Marcy Cortes "This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation." -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Miguel Roman Sent: Monday, April 14, 2008 8:03 AM To: LINUX-390@VM.MARIST.EDU Subject: [LINUX-390] recover root password Hello, We are running Suse Linux 9.3 (64 bit) under z/VM 5.1. One of the administrators changed the root password and forgot the password. Does anyone know how to recover the root password? Thanks. Miguel A Roman. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
>>> On Mon, Apr 14, 2008 at 11:03 AM, in message <[EMAIL PROTECTED]>, Miguel Roman <[EMAIL PROTECTED]> wrote: > Hello, > > We are running Suse Linux 9.3 (64 bit) under z/VM 5.1. One of the > administrators changed the root password and forgot the password. Does > anyone know how to recover the root password? Thanks. Boot your installation kernel and initrd, and get your network up. Choose the SSH install method. SSH in, activate your root file system disk. Mount your root file system on /mnt chroot /mnt Change the password Exit the chroot environment Unmount your root file system Re-IPL from DASD Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: recover root password
One way to to fix it is to use your rescue system to mount the amnesiac system's / fs at /mnt, chroot to /mnt and run passwd to change root's pw. This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. It is intended only for the addressee. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system. -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Miguel Roman Sent: Monday, April 14, 2008 11:03 AM To: LINUX-390@VM.MARIST.EDU Subject: recover root password Hello, We are running Suse Linux 9.3 (64 bit) under z/VM 5.1. One of the administrators changed the root password and forgot the password. Does anyone know how to recover the root password? Thanks. Miguel A Roman. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
recover root password
Hello, We are running Suse Linux 9.3 (64 bit) under z/VM 5.1. One of the administrators changed the root password and forgot the password. Does anyone know how to recover the root password? Thanks. Miguel A Roman. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Single user mode and root password
On 8/26/07, Mark Post <[EMAIL PROTECTED]> wrote: > We're talking about two totally different things. Sure, there are several things that affect each other. Most understand the limitations of root passwords, especially when you have a diverse support staff and many servers. My illustration of how we got around without any root passwords was to counter the common idea that you need a root password anyway (often like that *you* need it and others don't). And sulogin invoked after fsck was one of the places that required it. These days VM is not the only place where access to the server console is often managed properly, and in those cases prompting for a password is not needed (even unwanted, as I explained). I believe that when done properly, you can achieve more professional access control to your Linux servers (better security and easier to use). It's about cleaning up and get rid of old habits, and then raising the bar one notch again, after 20 years or so. I can understand this may be too complex for a distributor to drive, but it would be nice to tolerate it without the need for local mods. Rob -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Single user mode and root password
>>> On Thu, Aug 23, 2007 at 4:16 AM, in message <[EMAIL PROTECTED]>, Rob van der Heij <[EMAIL PROTECTED]> wrote: -snip- > In my (too long) post I tried to explain why not having a root > password is *more* secure. We're talking about two totally different things. My initial comment was in the context of a system with the root user having a password, and setting things up so that the root password was not requested when certain events occured (fsck on boot, etc.) Doing that would indeed lessen the theoretical level of security of that particular system, but not necessarily the practical level, assuming that the console was secured by a z/VM userid and password. You're talking about the case where a deliberate action was taken to remove the password from the root user entirely, and use other means. Not the same situation at all. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Single user mode and root password
Rob makes an excellent point that having NO password requirement for root access on a secured console is actually BETTER security. Aye ... there's the rub: on a secured console. This is not the first time in recent weeks that Rob has suggested something counter intuitive. But he is right. It may be disallowed at your shop; it's certainly disallowed at mine. But his position is really well thought and holds up under scrutiny. It will take a while before the security people at most shops "get it". -- R; -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Single user mode and root password
A couple of people have suggested replacing /sbin/sulogin. I recommend leaving the supplied programs as-is. In a prior life I made a point of cobbling up /sbin/suloginv, where the trailing "v" was because these were VM-hosted Linux systems. It was basically #!/bin/sh PATH=/usr/sbin:/sbin:/usr/bin:/bin ; export PATH exec sh -i 0< /dev/console 1> /dev/console 2> /devconsole Including an 'stty' would have been good. I don't recall if we had that at the time. Worked well for closetted PC Linux too. -- R; -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Single user mode and root password
On 8/23/07, Mark Post <[EMAIL PROTECTED]> wrote: > > And non-encrypted private keys (null passphrase) are evil. > > Careful. Gabe didn't say he did that. He said he had non-null passphrases. I know. But I don't want to buy free drinks for the folks that do... > My personal opinion is that any Linux system protected by a z/VM > userid/password doesn't _need_ to have a login prompt on the virtual console. > Having bash running is just fine. Even so, in absolute terms, that _is_ > less secure than having both. Just not meaningfully so, IMO. And just > because you have a root password doesn't mean you can't use key pairs as well > (as you yourself said you did). In my (too long) post I tried to explain why not having a root password is *more* secure. The sulogin just gives the illusion of an extra barrier, but in real life it is not: - once used, the virtual machine is typically #cp disc with root logged on - the root password is the same on many machines to achieve ease of use - if unique, the password is stored somewhere in a place that might be less secure - when used, it's visible in the open on the 3215 and can be seen when typed or logged It's like putting an extra lock on the front door to require that everyone needs 2 keys to get in, but for ease of use make that extra lock match the key of the back door. When you're then less careful with the 2nd key because they still would need both, you forget that it still opens the back door. When someone leaves the operations team and you remove him from the RACF group that has a permit to the logonby profile, he'd still know the root password and use that through su to get in again. IMHO the whole ceremony around root passwords comes from an environment where they don't have a better option. But when folks get more granular access control (through managed IP-connected KVM switches and granular physical access control and auditing) I suspect their requirements will change as well. Local mods remain a pain, whether by hacking or by hacked packages. We've tried both. It would be nice if SuSE would support a configuration parameter that tells all places to skip the sulogin. Rob -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Single user mode and root password
>>> On Wed, Aug 22, 2007 at 1:19 PM, in message <[EMAIL PROTECTED]>, Bruce Hayden <[EMAIL PROTECTED]> wrote: > The point is that sulogin *is* called from multiple places, so if > you're going to get rid of the root password (Rob's point) you either > get to modify all the places that invoke sulogin (I find 3 scripts in > /etc/init.d, plus /etc/inittab, and there could be more) or you modify > /sbin/sulogin. In either case, you have "local mods" to maintain, > which has its drawbacks, of course.. If you did it with RPM, then that would be a different matter. I don't think that's what you meant, though. Doing it without RPM is just a Bad Idea. Sort of like putting on superzaps outside of SMP/E, etc. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Single user mode and root password
>>> On Wed, Aug 22, 2007 at 6:32 PM, in message <[EMAIL PROTECTED]>, Rob van der Heij <[EMAIL PROTECTED]> wrote: -sip- > This is not a matter of getting in the way. What does get in the way > is a root password that is known by some people and can be used beyond > their original need to know. If you let that happen. My prior management did not, unless there was a contractual requirement, in which case all SLAs were null for those particular systems. In all other cases, sudo was sufficient. It's mostly a matter of knowledgeable management who also have some, umm, guts. Mine was, and did. -snip- > And non-encrypted private keys (null passphrase) are evil. Careful. Gabe didn't say he did that. He said he had non-null passphrases. My personal opinion is that any Linux system protected by a z/VM userid/password doesn't _need_ to have a login prompt on the virtual console. Having bash running is just fine. Even so, in absolute terms, that _is_ less secure than having both. Just not meaningfully so, IMO. And just because you have a root password doesn't mean you can't use key pairs as well (as you yourself said you did). Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Single user mode and root password
Mark Post wrote: On Tue, Aug 21, 2007 at 5:08 PM, in message <[EMAIL PROTECTED]>, R P Herrold <[EMAIL PROTECTED]> wrote: On Tue, 21 Aug 2007, Mark Post wrote: Master Resource Control: runlevel S has been reached Give root password for login: Looks the same to me. Same results for "telinit 1" as well. possibly a bootloader password. that is not the customary login password prompt challenge. No, that wasn't a prompt for a boot loader password. No such thing exists on mainframe Linux. (Or if it does, and no one told me, I certainly haven't turned it on.) That was from the 3215 console after issuing the telinit command. It comes from /sbin/sulogin, which is what is invoked via /etc/inittab in single user mode: # what to do in single-user mode ls:S:wait:/etc/init.d/rc S ~~:S:respawn:/sbin/sulogin One can (subject to security policies) change that to invoke bash. unless one has really good security (better than I've seen), that's a fairly pointless effort at securing the system. If your disk is encrypted, you win, unless the stakes are high enough to make it worth trying to get your keys. If I can mount your disk I win. If I can boot from my media, I win. If I can type stuff at the bootloader (assuming it exists) and it's not protected with a password, I win with "init=/bin/bash" -- Cheers John -- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] Please do not reply off-list -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Single user mode and root password
On 8/22/07, Kim Goldenberg <[EMAIL PROTECTED]> wrote: > I don't just blindly remove security functions just because it "gets in > the way". Ive even set up ssh keys with non-null passphrases as well as > ssh-agent, to verify it's me and not someone who scarfed up my key > without my knowledge. :soapbox. This is not a matter of getting in the way. What does get in the way is a root password that is known by some people and can be used beyond their original need to know. If you have 100 Linux virtual machines used by various people, it just does not work well to invent 100 good passwords every month to give each team the proper access. Acceptance by others gets very low when they cannot have a root password, but you can... and they will come up with a manager to approve that they put the root password in some silly automated ftp that copies data from one system to the other... Not having a root password is the best way to get out of that. We've used this and it really works. We did have a server virtual machine play SCIF (with logging and auditing and access control) for when no ssh login was possible, or for automation things. The good thing about cryptic keys is that you separate authentication and access control, which we believe is a good thing to do. It provides granularity and ease of use. When you already have your workstation protected well enough, ssh-agent makes it very easy indeed (and secure because people don't see you type in a password). Even if you have to type your passphrase each time, that's probably more secure against people reading it over your shoulder (because it's the same for all systems and you can probably type it very fast). Way better than having to look up the root password for server #86 when someone is watching you... And non-encrypted private keys (null passphrase) are evil. Except for cold bodies (i.e. not warm bodies, so machines or automated processes. And obviously you make sure that such a key only gives access to what that process must do.. The authorized_keys file for root on that server gives full access control. And it does auditing too. You can also use this for db2inst1 or whatever functional accounts you have. And it does not have to be the same list of users who have access. If you want to go fancy, you move the authorized_keys into LDAP and get the ability to build groups and update access without messing with individual systems. PS I believe we were eventually forced to have a root password because corporate standards dictate that you change it every nn days, and if you don't have one you cannot check that it expires every nn days :-( So I think we eventually set random passwords that nobody knew. Rob -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Single user mode and root password
Bruce Hayden wrote: The point is that sulogin *is* called from multiple places, so if you're going to get rid of the root password (Rob's point) you either get to modify all the places that invoke sulogin (I find 3 scripts in /etc/init.d, plus /etc/inittab, and there could be more) or you modify /sbin/sulogin. In either case, you have "local mods" to maintain, which has its drawbacks, of course.. It's your foot, you can shoot it any way you want; I'd rather keep the need for root around. I'd also think about what each of those use root password for and leave the original sulogin code in place (even if just renamed) just in case it's needed in the future. Better yet, I'd update /etc/inittab and other places with the code I'd want instead (like /sbin/nosulogin), so that any maintenance wasn't messed with in the future, and updates didn't just step on the new code. I don't just blindly remove security functions just because it "gets in the way". Ive even set up ssh keys with non-null passphrases as well as ssh-agent, to verify it's me and not someone who scarfed up my key without my knowledge. Kim On 8/22/07, Mark Post <[EMAIL PROTECTED]> wrote: Oooh, I can't agree with that. Replacing a system module that might get called from multiple places isn't a good idea. Updating /etc/inittab to invoke bash would be much better (and is what I do with Slack/390). Mark Post -- Bruce Hayden Linux on System z Advanced Technical Support Endicott, NY --- Kim Goldenberg Systems Programmer I State of NJ - OIT 609-777-3722 [EMAIL PROTECTED] [EMAIL PROTECTED] -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Single user mode and root password
The point is that sulogin *is* called from multiple places, so if you're going to get rid of the root password (Rob's point) you either get to modify all the places that invoke sulogin (I find 3 scripts in /etc/init.d, plus /etc/inittab, and there could be more) or you modify /sbin/sulogin. In either case, you have "local mods" to maintain, which has its drawbacks, of course.. On 8/22/07, Mark Post <[EMAIL PROTECTED]> wrote: > > Oooh, I can't agree with that. Replacing a system module that might get > called from multiple places isn't a good idea. Updating /etc/inittab to > invoke bash would be much better (and is what I do with Slack/390). > > > Mark Post -- Bruce Hayden Linux on System z Advanced Technical Support Endicott, NY -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Single user mode and root password
>>> On Wed, Aug 22, 2007 at 9:11 AM, in message <[EMAIL PROTECTED]>, Bruce Hayden <[EMAIL PROTECTED]> wrote: > Here is what I've used on SLES 10: > >> cat /sbin/sulogin > #!/bin/bash Oooh, I can't agree with that. Replacing a system module that might get called from multiple places isn't a good idea. Updating /etc/inittab to invoke bash would be much better (and is what I do with Slack/390). Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Single user mode and root password
Thank you for all the information and suggestions. Very much appreciated, Betsie -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Bruce Hayden Sent: Wednesday, August 22, 2007 6:11 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: Single user mode and root password Here is what I've used on SLES 10: > cat /sbin/sulogin #!/bin/bash #Always log in without asking for a password HOME=/root exec -l /bin/bash --login --noprofile On 8/22/07, Ronald van der Laan <[EMAIL PROTECTED]> wrote: > Rob, > > Yes, by replacing the /sbin/sulogin by a script that just calls > /bin/bash, you prevent the password check for both the fsck and single user modes. > > Ronald van der Laan > -- Bruce Hayden Linux on System z Advanced Technical Support Endicott, NY -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Single user mode and root password
Here is what I've used on SLES 10: > cat /sbin/sulogin #!/bin/bash #Always log in without asking for a password HOME=/root exec -l /bin/bash --login --noprofile On 8/22/07, Ronald van der Laan <[EMAIL PROTECTED]> wrote: > Rob, > > Yes, by replacing the /sbin/sulogin by a script that just calls /bin/bash, > you prevent the password check for both the fsck and single user modes. > > Ronald van der Laan > -- Bruce Hayden Linux on System z Advanced Technical Support Endicott, NY -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Single user mode and root password
Mark, > I would say that's a doc APAR in the making. Mike? We'll definitely look into it. "Mike MacIsaac" <[EMAIL PROTECTED]> (845) 433-7061 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Single user mode and root password
Rob, Yes, by replacing the /sbin/sulogin by a script that just calls /bin/bash, you prevent the password check for both the fsck and single user modes. Ronald van der Laan -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Single user mode and root password
>>> On Tue, Aug 21, 2007 at 5:08 PM, in message <[EMAIL PROTECTED]>, R P Herrold <[EMAIL PROTECTED]> wrote: > On Tue, 21 Aug 2007, Mark Post wrote: > >> Master Resource Control: runlevel S has been reached >> Give root password for login: >> >> Looks the same to me. Same results for "telinit 1" as well. > > possibly a bootloader password. that is not the customary > login password prompt challenge. No, that wasn't a prompt for a boot loader password. No such thing exists on mainframe Linux. (Or if it does, and no one told me, I certainly haven't turned it on.) That was from the 3215 console after issuing the telinit command. It comes from /sbin/sulogin, which is what is invoked via /etc/inittab in single user mode: # what to do in single-user mode ls:S:wait:/etc/init.d/rc S ~~:S:respawn:/sbin/sulogin Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Single user mode and root password
On 8/21/07, Mark Post <[EMAIL PROTECTED]> wrote: > It's controlled by what's in /etc/inittab, if anyone is interested in > modifying that. You too can make your system (somewhat) less secure. :) I beg to differ... I believe that not having a Linux root password at all (but using cryptic keys) is more secure. And when you don't have a root password, you don't want to get prompted for it either. Apart from the inittab, I recall something in the boot scripts (around fsck) also needed to be fixed. And for the case where you can not decode the keys, using RACF to control access to the virtual machine console works nice. Rob -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Single user mode and root password
On Tue, 21 Aug 2007, Mark Post wrote: Master Resource Control: runlevel S has been reached Give root password for login: Looks the same to me. Same results for "telinit 1" as well. possibly a bootloader password. that is not the customary login password prompt challenge. -- Russ Herrold -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Single user mode and root password
>>> On Tue, Aug 21, 2007 at 2:47 PM, in message <[EMAIL PROTECTED]>, "Spann, Elizebeth (Betsie)" <[EMAIL PROTECTED]> wrote: > Hi All, > In the virtualization cookbooks for RHEL 4 and 5, it says "in single > user mode, you are logged in as the root user" and "all of the file > systems in /etc/fstab are mounted". This has not been my experience > and I am trying to determine why. -snip- I would say that's a doc APAR in the making. Mike? > Betsie (the clueless) Hardly clueless. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Single user mode and root password
On 8/21/07, Mark Post <[EMAIL PROTECTED]> wrote: > >>> On Tue, Aug 21, 2007 at 4:09 PM, in message > <[EMAIL PROTECTED]>, Bill Dodge > <[EMAIL PROTECTED]> wrote: > -snip- > > Ah! SLES 10! The last time I did it was SLES 7. :-) > > Betsie was right, SLES9 as well. Even Slackware does this now. > > It's controlled by what's in /etc/inittab, if anyone is interested in > modifying that. You too can make your system (somewhat) less secure. :) > > > Mark Post > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or > visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > Hello! Mark is right. That's what happens on this fellow, he's running Slackware 11.0 (Intel) with the usual cluster of security stuff, and some options from other sources. Ideally it should be documented in an easy to understand format someplace. Consider what happened when a fellow member saw his system go through the classic fsck function. If the system discovered a really outrageous problem that itself could not repair it would drop into single user mode and invite that user to enter the root password and follow the listed there steps to repair the damage if possible. Incidentally Mark the advice both you and David B provided concerning those problems were spot-on and exactly what I would have done if I saw it first, and more importantly, knew what to post and how to post it. -- Gregg C Levine [EMAIL PROTECTED] "This signature was once found posting rude messages in English in the Moscow subway." -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Single user mode and root password
>>> On Tue, Aug 21, 2007 at 4:09 PM, in message <[EMAIL PROTECTED]>, Bill Dodge <[EMAIL PROTECTED]> wrote: -snip- > Ah! SLES 10! The last time I did it was SLES 7. :-) Betsie was right, SLES9 as well. Even Slackware does this now. It's controlled by what's in /etc/inittab, if anyone is interested in modifying that. You too can make your system (somewhat) less secure. :) Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Single user mode and root password
Both a Red Hat zLinux tech and an IBM zLinux tech told me otherwise. -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Bill Dodge Sent: Tuesday, August 21, 2007 12:21 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: Single user mode and root password In single user mode for SUSE you are logged in as the root user however that is not true with RedHat. To start single user mode in RedHat you need to know the root password. A real PITA. Linux on 390 Port wrote: > > Hi All, > In the virtualization cookbooks for RHEL 4 and 5, it says "in single > user mode, you are logged in as the root user" and "all of the file > systems in /etc/fstab are mounted". This has not been my experience > and I am trying to determine why. None of my SLES 9 or RHEL AS 4 systems > go into single user mode without prompting for the root password. > I have verified that the TERMINAL LINEND character is set when issuing > the VI VMSG response. > I have been told that the prompt indicates an error in /etc/fstab or a > startup problem. If I boot into another state ( 3 or 5 ), there is no > indication of /etc/fstab problems. Checking dmesg, I can't see any > errors. > Any other suggestions for debugging this problem, please? > > Betsie (the clueless) In single user mode for SUSE you are logged in as the root user however that is not true with RedHat. To start single user mode in RedHat you need to know the root password. A real PITA. -- Bill Dodge email: [EMAIL PROTECTED] Phone: (703)627-2455 "If you don't know where you are going, any road will take you there." Lewis Carroll "If you don't know where you are, a map won't help" Unknown -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Single user mode and root password
> > SLES10: > # telinit S > -snip- > Sending all processes the TERM signal... > ..done > Sending all processes the KILL signal... > ..done > Master Resource Control: runlevel S has been reached > Give root password for login: > > > Looks the same to me. Same results for "telinit 1" as well. > > > Mark Post > Ah! SLES 10! The last time I did it was SLES 7. :-) RedHat added the root password requirement sometime after AS 3 (which would probably have been RHEL 3 also). I can still single user mode without a root password on the RedHat used by Symantec's mail gateway which we think is AS or ES 3. -- Bill Dodge email: [EMAIL PROTECTED] Phone: (703)627-2455 "If you don't know where you are going, any road will take you there." Lewis Carroll "If you don't know where you are, a map won't help" Unknown -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Single user mode and root password
>>> On Tue, Aug 21, 2007 at 3:21 PM, in message <[EMAIL PROTECTED]>, Bill Dodge <[EMAIL PROTECTED]> wrote: > In single user mode for SUSE you are logged in as the root user however that > is not true with RedHat. To start single user mode in RedHat you need to > know the root password. A real PITA. SLES10: # telinit S -snip- Sending all processes the TERM signal... ..done Sending all processes the KILL signal... ..done Master Resource Control: runlevel S has been reached Give root password for login: Looks the same to me. Same results for "telinit 1" as well. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Single user mode and root password
In single user mode for SUSE you are logged in as the root user however that is not true with RedHat. To start single user mode in RedHat you need to know the root password. A real PITA. Linux on 390 Port wrote: > > Hi All, > In the virtualization cookbooks for RHEL 4 and 5, it says "in single > user mode, you are logged in as the root user" and "all of the file > systems in /etc/fstab are mounted". This has not been my experience > and I am trying to determine why. None of my SLES 9 or RHEL AS 4 systems > go into single user mode without prompting for the root password. > I have verified that the TERMINAL LINEND character is set when issuing > the VI VMSG response. > I have been told that the prompt indicates an error in /etc/fstab or a > startup problem. If I boot into another state ( 3 or 5 ), there is no > indication of /etc/fstab problems. Checking dmesg, I can't see any > errors. > Any other suggestions for debugging this problem, please? > > Betsie (the clueless) In single user mode for SUSE you are logged in as the root user however that is not true with RedHat. To start single user mode in RedHat you need to know the root password. A real PITA. -- Bill Dodge email: [EMAIL PROTECTED] Phone: (703)627-2455 "If you don't know where you are going, any road will take you there." Lewis Carroll "If you don't know where you are, a map won't help" Unknown -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Single user mode and root password
Hi All, In the virtualization cookbooks for RHEL 4 and 5, it says "in single user mode, you are logged in as the root user" and "all of the file systems in /etc/fstab are mounted". This has not been my experience and I am trying to determine why. None of my SLES 9 or RHEL AS 4 systems go into single user mode without prompting for the root password. I have verified that the TERMINAL LINEND character is set when issuing the VI VMSG response. I have been told that the prompt indicates an error in /etc/fstab or a startup problem. If I boot into another state ( 3 or 5 ), there is no indication of /etc/fstab problems. Checking dmesg, I can't see any errors. Any other suggestions for debugging this problem, please? Betsie (the clueless) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Does root password expire?
Hello! Betsie as far as I know, (for Intel Linux only.) it is not supposed to happen that way. User level ones do, but not the root user. I think Mark already explained why that can happen. -- Gregg C Levine [EMAIL PROTECTED] --- "Remember the Force will be with you. Always." Obi-Wan Kenobi > -Original Message- > From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of > Spann, Elizebeth (Betsie) > Sent: Thursday, June 15, 2006 5:10 PM > To: LINUX-390@VM.MARIST.EDU > Subject: [LINUX-390] Does root password expire? > > Anyone know if root password expires? I have a couple of machines that > I can't log into now. > > Betsie > > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to [EMAIL PROTECTED] with the message: INFO LINUX- > 390 or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Does root password expire?
It's not the default? I just create userids with useradd or via Yast. Betsie Spann -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Post, Mark K Sent: Thursday, June 15, 2006 2:34 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: Does root password expire? That depends on how your system was set up. It certainly can, but it's not a given. Mark Post -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Spann, Elizebeth (Betsie) Sent: Thursday, June 15, 2006 5:10 PM To: LINUX-390@VM.MARIST.EDU Subject: Does root password expire? Anyone know if root password expires? I have a couple of machines that I can't log into now. Betsie -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Does root password expire?
That depends on how your system was set up. It certainly can, but it's not a given. Mark Post -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Spann, Elizebeth (Betsie) Sent: Thursday, June 15, 2006 5:10 PM To: LINUX-390@VM.MARIST.EDU Subject: Does root password expire? Anyone know if root password expires? I have a couple of machines that I can't log into now. Betsie -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Does root password expire?
Anyone know if root password expires? I have a couple of machines that I can't log into now. Betsie -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Antwort: Re: root password
:-))) That worked fine... thanks. - Tim - Rob van der Heij <[EMAIL PROTECTED]>@VM.MARIST.EDU> on 13.05.2002 09:14:47 Bitte antworten an Linux on 390 Port <[EMAIL PROTECTED]> Gesendet von: Linux on 390 Port <[EMAIL PROTECTED]> An: [EMAIL PROTECTED] Kopie: Thema:Re: root password >somebody of my so called collegues changed the root-password, so I cannot >get into the system. Is there a possibility for me to change the >root-password or do I have to reinstall? My favorite is to IPL from the Ramdisk system again, load the dasd driver and mount the disks, chroot into that system and issue the 'passwd' command (or change /etc/inittab to make it invoke /bin/sh instead of getty) Rob
Re: root password
>somebody of my so called collegues changed the root-password, so I cannot >get into the system. Is there a possibility for me to change the >root-password or do I have to reinstall? My favorite is to IPL from the Ramdisk system again, load the dasd driver and mount the disks, chroot into that system and issue the 'passwd' command (or change /etc/inittab to make it invoke /bin/sh instead of getty) Rob
Re: root password
> Hi again,
>
> somebody of my so called collegues changed the root-password, so I cannot
> get into the system. Is there a possibility for me to change the
> root-password or do I have to reinstall?
>
> I am using a 2.4 kernel. Oh, there is no ftp access to the system
I know how to do it on my system, but I suspect it's different on a mainframe;-()
There's probably an easier way (there is for Linux on IA32).
If you can access the volume from another Linux system then you can edit
/etc/passwd so the root entry looks like this:
root::0:0:root:/root:/bin/bash
For this purpose 'another system' is anything (maybe your install system, maybe
a small system you keep for repairing other systems) that gives you a shell
prompt.
I assume you're using openssh? Create yourself a key with ssh-keygen and add it
to /root/.ssh/authorized_keys or /root/.ssh/authorized_keys2 according to the
kind of key you have.
Then you can get to root without a password:
summer@numbat summer]$ root
Last login: Mon May 13 06:23:59 2002 from localhost
[root@numbat root]# cd .ssh/
[root@numbat .ssh]# ll
total 16
-rw-r--r--1 root root 603 Dec 31 23:19 authorized_keys2
-rw---1 root root 668 Jan 7 09:16 id_dsa
-rw-r--r--1 root root 601 Jan 7 09:16 id_dsa.pub
-rw-r--r--1 root root 686 Feb 21 10:53 known_hosts2
[root@numbat .ssh]#
root is a shell function I defined:
root ()
{
RH=$1;
shift;
[ -z "$RH" ] && RH=127.0.0.1;
ssh -t -l root $RH $@;
return $?
}
--
Cheers
John Summerfield
Microsoft's most solid OS: http://www.geocities.com/rcwoolley/
Note: mail delivered to me is deemed to be intended for me, for my disposition.
==
If you don't like being told you're wrong,
be right!
root password
Hi again, somebody of my so called collegues changed the root-password, so I cannot get into the system. Is there a possibility for me to change the root-password or do I have to reinstall? I am using a 2.4 kernel. Oh, there is no ftp access to the system - Tim -
