Failed to recover root password in Solaris 10 on Sparc CPU Sun Ultra10

UNIX Solaris
1

Failed to recover lost root password for Solaris SunSparc
(On Sun Ultra10 - SPARC CPU Hardware, not x86 Intel CPU nor x64 AMD CPU)
This Sun Ultra10 workstation comes with an old 6-in wafer probing station purchased from a Surplus equipment vendor.
Computer: Sun Ultra 5/10 UPA/PCI (UltraSPARC-Iii 440MHz). Sparc10 with UPA creative 3D graphics card and CDROM driver, Sun Type 5C keyboard/mouse. Sun Monitor. Solaris 10 SunOS. Solaris 10 installation CD. Unknown root password.
Here is the procedure that I followed in an attempt to recover the root password.

  1. Turn on SUN UltraSparc 10 and load Solaris 10 Installation CD
  2. Reboot Machine with CD inside CDROM drive
  3. Hit �Stop A� on keyboard during boot to get to the OK prompt
  4. To boot computer into single user mode, I typed �boot cdrom -s� at ok.
    [list=1]
  5. ok boot cdrom -s
    [/list]
  6. Once booted off the CDROM, it showed
    [list=1]
  7. INIT: SINGLE USER MODE
  8. #
  9. # mount /dev/dsk/c0t0d0s0 /a (to look for password shadow file)
  10. # cat /a/etc/shadow
    [/list]

� root:xxxxxx:6445:::::::
� daemon:NP:6445:::::::
� ....

  1. [list=1]
  2. # vi /a/etc/shadow (to remove xxxxx between root and 6445)
  3. :wq! to save and quit out of vi
  4. # cat /a/etc/shadow (to check shadow file after editing)
    [/list]

� root::6445:::::::
� daemon:NP:6445:::::::
� ....

  1. [list=1]
  2. #umount /a (unmount device at /a)
  3. #pwd
  4. #/tmp/root
    [/list]

It looks all good so far. But my trouble starts from here: the computer is still asking for root password at boot!!!

  1. To boot into single user mode again to reset root password
    [list=1]
  2. # boot ok -s
  3. boot: not found
    [/list]
  4. I then tried
    [list=1]
  5. #boot -s
  6. boot: not found
    [/list]
  7. I then tried
    [list=1]
  8. #boot
  9. boot: not found
    [/list]
  10. I then open the CD drive and took Solaris 10 CD out
    [list=1]
  11. #reboot
    [/list]
  12. Sun UltraSparc 10 went into normal boot sequence. The typical CDE login screen showed up. Welcome Solaris user10
    [list=1]
  13. Please enter user name: root <enter>
  14. Please enter password: <enter>
  15. It showed: login incorrect; please try again
    [/list]
  16. I then tried
    [list=1]
  17. Please enter user name: <enter>
  18. Please enter password: <enter>
  19. It showed: login incorrect; please try again
    [/list]
  20. I don't understand why it was still looking for root password since I have already removed root password string in the shadow file!!!
  21. I then went through the above step1-4 to boot into SINGLE USER MODE, to change root password
    [list=1]
  22. INIT: SINGLE USER MODE
  23. #passwd
  24. passwd (SYSTEM): password database busy. Try again later. Permission denied.
    [/list]
  25. I then tried
    [list=1]
  26. #passwd root
  27. passwd (SYSTEM): password database busy. Try again later. Permission denied.
    [/list]
  28. So far none of boot and passwd commands worked for me. Any advice?

Note that many Solaris systems may have mirrored volumes, a volume manager or other method of copying the full filesystem. If this is the case these instructions will need to be followed for both volumes, otherwise corruption can easily occur.
Does it mean that there is another shadow file inside /dev/dsk/c0t1d0s0 besides /dev/dsk/c0t0d0s0?

2

hi

Reset root password on Solaris X86 Box - YouTube see this video .and note

3

You can check this link:

Solaris System Admin tips: How to reset the Root password in Sun Solaris (SPARC)

-- are you connected over serial-console or network?

Please note that if you are connected over serial console, it should not ask you for the boot password again after resetting it.

However, it may ask if you are connected over network then depending on your PermitRootLogin setting in /etc/ssh/sshd_config file and depending on your CONSOLE=/dev/console setting in /etc/default/login file, the machine may deny you access even if you are giving the correct password.

I am not a genius at this, but i experienced these issues recently. Hope it helps.//

4

Thanks Mystition. The workstation wasn't connected through serial-console or networked. It's a stand-alone SUN Ultra 10 Sparc workstation with wafer probing setup programs on it. Are you suggesting that I should use a null modem serial cable to hookup to a hyperterminal on PC to boot the SUN Ultra10? Josh

---------- Post updated at 11:41 AM ---------- Previous update was at 11:36 AM ----------

I followed the several posts from 1996-2004 about resetting root password. I read that thread before. My problem is that at single user mode prompt, when I typed #passwd, it complains about password database is busy. and permission denied (see my original post). Thanks. Josh

---------- Post updated at 12:01 PM ---------- Previous update was at 11:41 AM ----------

Hi Coolboys,

Thanks for the youtube video. I wish I could know it sooner. I know the difference in booting into the single user mode between X86 intel system and SPARC Sun system. I actually practiced on the x86 system on resetting passwrod first without issue before I tried on this newly aquired Sun UltraSPARC10. I successfully removed root password string without issue. My problem is that it still asking for the password after reboot at login page.
Thanks,
Josh

5

Hi Fromtexas0,

If you "boot cdrom" and mount the / partition on /a, you should be able to "vi" the /a/etc/shadow" file and enter an encrypted string for a known password.

This should allow you to login to the box as root after a "ok boot" command. There should be no difference if the box is X86 or SPARC. The only people that I know in the wafer manufacture world that used C2 security on SPARC systems were Motorola and ATMEL, if the system came from any of these people then my suggestion would be to create the /etc/passwd file and the /etc/shadow file on an other system and copy into place.

Regards

Dave

6

Hi, Dave,

I copied the known password string from the shadow file of another x86 Intel based SUN Solaris 10 next door to this Sun Ultra10. Then I re-boot the machine. I used root as username and known password (.root) from that X86 machine at login page. It says: login incorrect; please try again. I went back in single user mode to see if the shadow file was corrupted. It wasn't. I have noway to tell where it came from. The purchasing lady called surplus vendor in vain. Very confusion! Any other clues?

Thanks for suggestings,
Josh

7

Perhaps you have a mirrored root disk. In this case you should edit /etc/shadow on both submirrors.

8

Please post the output of these commands:

grep root /a/etc/passwd /a/etc/shadow
ls -l /a/etc/*tmp /a/etc/nsswitch.conf
grep "^passwd" /a/etc/nsswitch.conf
grep PASSREQ /a/etc/default/login
9

Hi, Jlliagre,

Here are the outputs from all these commands -

#grep root /a/etc/passwd /a/etc/shadow
/a/etc/passwd:root:x:0:0:Super-User:/:/sbin/sh
/a/etc/shadow:root::6445::::::

#ls -l /a/etc/*tmp /a/etc/nsswitch.conf
-rw-r--r--   1 root  sys   943  Dec 24 2007  /a/etc/nsswitch.conf

#grep "^passwd" /a/etc/nsswitch.conf
passwd:   files

#grep PASSREQ /a/etc/default/login
#PASSREQ determines if login requires a password.
PASSREQ=YES
#

Thanks,
Josh

10 
PASSREQ=NO

in the login file should help.

11

Hi All,

I've seen this thread going along for a few days now and I know that I'm coming to this late so what I'm about to say might be irrelevant.

However, if I had this situation my thoughts would be to boot into single user:

 
boot cdrom -s

Mount the harddisk root filesystem under /a

Change the root to /a

Then use passwd command to change the root passwd:

 
passwd root

I don't think it will ask for the old password because you're logged in as God.

Has this been tried? If so, why doesn't it work.

I assume the passwd database busy error is due to the fact that it's still looking at the cdrom filesystem as root.

Comments anyone?

12

Hi Jlliagre,

Thanks for your reply.

I boot machine into single user mode and mount filesystem on /a, and I changed PASDSREQ=YES to PASSREQ=NO

Code:

 
#vi /a/etc/default/login
#PASSREQ determines if login requires a password.
PASSREQ=NO

verification:

Code:

 
#grep PASSREQ /a/etc/default/login
#PASSREQ determines if login requires a password.
PASSREQ=NO
#

After umount /a and boot back to normal CDE login page, it still asked for password after username (root). It still complains: login incorrect; please try again. Not working.

I then went back to single user mode and tried to edit out the :x: on the root password in the passwd file.

Code:

 
#vi /a/etc/passwd
root::0:0:Super-User:/:/sbin/sh

verification:
Code:

 
#grep root /a/etc/passwd /a/etc/shadow
/a/etc/passwd:root::0:0:Super-User:/:/sbin/sh
/a/etc/shadow:root::6445::::::
#

But it still asked for password at login page: login incorrect; please try again. Not working neither.

Hi Hicksd8,

I tried your suggestions with code error return:

Code:

 
#chroot /a 
usage: chroot rootdir command arg...

I went ahead to see if I change the password anyway:

Code:

 
#passwd root 
passwd (SYSTEM): password database busy. Try again later. Permission denied.

Not working.

Hi rua,

I tried to find mirrored filesystem in vain. Just what I have tried:

After boot into single user mode, I typed code:

 
#mkdir /tmp/d0
#mount /dev/dsk/c0t0d0s0 /tmp/d0
 
#mkdir /tmp/d1
#mount /dev/dsk/c0t1d0s0 /tmp/d1
mount: /dev/dsk/c0t1d0s0 or /tmp/d1, no such file or directory.
 
#ls /dev/dsk
c0t0d0s0 c0t0d0s2 c0t0d0s4 c0t0d0s6  c0t2d0s0 c0t2d0s2 c0t2d0s4 c0t2d0s6
c0t0d0s1 c0t0d0s3 c0t0d0s5 c0t0d0s7  c0t2d0s1 c0t2d0s3 c0t2d0s5 c0t2d0s7
 
#mount /dev/dsk/c0t2d0s0 /tmp/d1
mount: /dev/dsk/c0t2d0s0 is already mounted; /tmp/d1 is busy, or the allowble number of mount points has been exceeded.

I just couldn't find the mirrored filesystem.

Thanks for all the replies. Any other suggestions? Josh

13

That should have been:

chroot /a passwd root

You might also create a regular (non root) user account and see if you can login with it. Perhaps is there some logic that prevent root login in a graphic environment (which is a poor practice anyway).
Can you switch to non graphic mode and see if you can login from there ?

14

Hi, Jlliagre,

After boot to single user mode and mount the filesystem to /a, I tried your command and it still spit error as follow:

 
\
INIT: SINGLE USER MODE
#mount /dev/dsk/c0t0d0s0 /a
#chroot /a passwd root
chroot: No such file or directory
#chroot /a
usage: chroot rootdir command arg...

It's not working.

I also tried to login through command-line mode without success. See below:

 
sunny10 console login: root
Password:
Login incorrect
Login:

Any more comments?

Thanks,
Josh

15

So it looks like chroot cannot find the passwd command. No path I guess.

So should it be:

 
chroot /a /bin/passwd root

I'm not sure, comments please. (I have no access to a Solaris system right now.)

16

What says

ls -l /a/usr/bin/passwd
grep "^login" /a/etc/pam.conf
chroot /a /usr/bin/passwd root

?

17

Hi, jlliagre,

I just got back to work and get access to this unix box this morning.

I boot it into single user mode and mount filesystem to /a.

It says:

 
#ls -l /a/usr/bin/passwd
-r-sr-sr-x 1 root sys 27228 Aug 16 2007 /a/usr/bin/passwd
 
#grep "^login" /a/etc/pam.conf
login auth requisite   pam_authtok_get.So.1
login auth required    pam_dhkeys.So.1
login auth required    pam_unix_cred.So.1
login auth required    pam_unix_auth.So.1
login auth required    pam_dial_auth.So.1
 
#chroot /a /usr/bin/passwd root
segmentation Fault

Any thoughts?
Thanks,
Josh

18 
truss -f chroot /a /usr/bin/passwd root
19

Hi, jlliagre,

 
#truss -f chroot /a /usr/bin/passwd root
execve(*/usr/sbin/chroot", 0xFFBFF574, 0xFFBFFF588)  argc=4
resolvepath(*/usr/lib/Ld.so.1", "/Lib/Ld.so.1", 1023) = 12
resolvepath(*/usr/sbin/chroot", "/usr/sbin/chroot", 1023) = 16
 
... many many pages
 
chroot(*1242: write(2, * chroot ( **, 8)  = 8
/a1242: write(2, " / a", 2)                      = 2
"): 1242:  write(2, " " ) :  ", 4)                = 4
No such file or directory1242: write(2, " No such file" .., 25) = 25
1242: write(2, "\n", 1)                           = 1
1242: _exit(1)

Sorry. It's way too long, I cannot type by hand. There is no connection or USB that can send data out either at this time.

I'll post more later

Thanks,
Josh

---------- Post updated at 08:47 PM ---------- Previous update was at 07:03 PM ----------

Hi, Jlliagre,

I went to next door and grabbed their x86 machine with Solaris8 for comparison study. Here are what I found:

Sun X86 Solaris 8 machine -

 
#uname -sr
SunOS 5.8
# grep root /a/etc/passwd /etc/passwd 
root:x:0:1:Super-User:/:/sbin/sh
root:x:0:1:Super-User:/:/sbin/sh
#head /etc/group
root::0:root
other::1:
bin::2:root,bin,daemon
...

Sun UltraSparc10 Solaris 10 machine -

 
#uname -sr
SunOS 5.10
# grep root /a/etc/passwd /etc/passwd
root:x:0:0:Super-User:/:/sbin/sh
root:x:0:1:Super-User:/:/sbin/sh
#head /etc/group
root::0:
other::1:root
bin::2:root,daemon
...

I read Oracal document and it says that group "0" is reserved for root. But the Solaris 10 assigns group "1" to root. I just don't know if these differences are significant here. Should I make the Solaris 10 the same as in Solaris 8? Or these are the typical setup difference exist between Solaris8 and Solaris10.

Any comments?

Thanks,
Josh

20

I expected the truss command to be run in single user mode and root file system mounted on /a. This doesn't seem to be the case in your reply.

The root group discrepancy shouldn't matter.

1 Like