Hello everybody, hope you all are having a good day.
Here is our (my) situation...
We have a process where we clone Solaris 8 hard disk drives then have to configure each drive for the system they will be used in. In the old cloning image the root password never expired. We also have techs doing this and it works fine.
Now, the customer has added tighter security requirements which sets the root password to expire after specified amount of days. So, if it has been longer than the specified days since the capture of the image the techs will be required to change the root password.
In an old procedure on how to do this they would:
Shutdown the system
When shut down enter the command boot -s at the OK prompt
Then it says: after the reboot at the # enter passwd root
Problem is, when trying to boot into single user mode it asks for the root password for maintenance or control-d to skip. I'm a newbie when it comes to UNIX administration (since I have always been a user and it has been 20 years) and was wondering if I was missing anything.
When doing research on the interwebs I have found about booting from a CD-ROM then editing the shadow file. I don't think the techs will be able to do this since they are not UNIX users.
Any help and any suggestion will be greatly appreciated.
Try ctrl-D to skip. If it gets you into a shell at all, you're there. You may need to do some manual mounting and/or remounting before you can actually alter the shadow files though, since / will probably still be mounted read-only at this point.
Keep in mind I'm working from my experience with Linux. The situation seems almost identical, right down to the 'root password for maintenance' prompt, but beneath the skin it might not be quite what I think.
Still, the system is up in a very minimal fashion at this point. No services whatsoever, and it hasn't mounted any disks except your root filesystem, and probably read-only at that. Since the password hash is kept in a file in the root filesystem...
Try updating the password. If it works you're done. If it doesn't, you may have to mount -o remount,rw / or the Solaris equivalent then try again.
So, in order to improve security, you now have a procedure in place that allows an unknown person to change the root password without any auditing of the event.
Maybe having root passwords expire is a REALLY BAD IDEA...
When they get to the final user, they change the password for root and all canned accounts. We just put a default password on that then is in their instructions so they know what it is.
In our procedure we tell the techs what to set the passwords too.
Kind of in a holding pattern since we need to make sure that the techs will be able to perform what we come up with. Found out there is another procedure to change expired root passwords, we are trying to get that and verify that it works. Then the decision to either incorporate the information into the document I'm working on or to reference it in the event the steps change, then we make the change in one instead of two documents.
Thanks for all the responses it is mucho appreciated.