SUMMARY: Sparc 20 - Solaris 8 - password recovery

From: Hays, Jonathan <Jonathan.Hays_at_NCEMCS.com>
Date: Wed Jul 07 2004 - 10:20:08 EDT
A big public thanks to David B. Harrington for the fix: mount slice 0, not
slice 2.

I had mounted the wrong disk slice. Mounting /dev/dsk/c0t3d0s0 instead of
/dev/dsk/c0t3d0s2 brought up a different /etc/passwd and /etc/shadow file.
After I deleted the password for the root entry in /etc/shadow and rebooted
into multiuser mode I was able to login as root without a password.

I would have thought that mounting s2 would have allowed me access to the
whole disk, but something funny was going on. I don't understand it, because
I know I have broken into a bunch of Ultra 5 and Ultra 10 machines by
mounting s2. But evidently s0 is a safer bet for older machines?

Any ideas on this?

Anyway, thanks to everyone's suggestions.

Jonathan


-----Original Message-----
From: Harrington, David B. (Contractor) (DSCR)
[mailto:David.Harrington@dla.mil] 
Sent: Wednesday, July 07, 2004 8:17 AM
To: 'Hays, Jonathan'
Subject: RE: Sparc 20 - Solaris 8 - password recovery

Jonathan;

I would run the command "mount /dev/dsk/c0t0d0s0 /mnt" rather than
.../c0t0d0s2. (This assumes that c0t0d0s0 is your boot partition)

The password itself is in the /mnt/etc/shadow file, not the /etc/passwd
file. Restore the password file to read:

root:x:0:0:Super-User:/:/sbin/sh

Edit the /mnt/etc/shadow file to read:
Root::12600:::::: (or whatever). The blank 2nd field is what you really
need.

Save it, and reboot.

dbh

-----Original Message-----
From: sunmanagers-bounces@sunmanagers.org
[mailto:sunmanagers-bounces@sunmanagers.org] On Behalf Of Hays, Jonathan
Sent: Tuesday, July 06, 2004 16:34
To: 'sunmanagers@sunmanagers.org'
Subject: Sparc 20 - Solaris 8 - password recovery


I've inherited a Sparc 20 with Solaris 8 and I'm having trouble with
password recovery. I have some experience with simple password recovery but
what I've done is not working. Here's what I did:

1. boot to single user mode with a CD-ROM from the ok prompt. 2. mount the
hard drive to /mnt 3. delete the password field in /etc/shadow on the hard
drive 4. check /etc/default/login and /etc/default passwd. 5. remove the
cdrom and reboot.

After the reboot, I expected to login as root with no password (as I've done
on many other occasions). However I still can't get in and it is demanding a
password. I suspect someone has configured some kind of new-fangled security
setting on this box.

;-)

I guess I could just wipe it out and reinstall but I'm intrigued to know
what is configured on it that is defeating my password recovery efforts.

Any more ideas? Please help!

Thanks, Jonathan

See below for details.
--
######
lost root password
######

supportsun20 console login: root
Password:
Login incorrect
supportsun20 console login: Type  'go' to resume
Type  help  for more information

######
boot from cdrom
######

<#2> ok boot cdrom -s
)esetting ...
SPARCstation 20 MP (2 X 390Z55), No Keyboard
ROM Rev. 2.15, 192 MB memory installed, Serial #3443064. Ethernet address
8:0:20:20:1b:79, Host ID: 72348978.



Initializing Memory -
Type  help  for more information
<#0> ok boot cdrom -s
Boot device: /iommu/sbus/espdma@f,400000/esp@f,800000/sd@6,0:d  File and
args: -s
SunOS Release 5.8 Version Generic_108528-13 32-bit
Copyright 1983-2001 Sun Microsystems, Inc.  All rights reserved. Configuring
/dev and /devices Using RPC Bootparams for network configuration
information.
le0: No carrier - cable disconnected or hub link test disabled? Skipping
interface le0 \
INIT: SINGLE USER MODE
# ls
etc     kernel  var
# ls /dev/dsk
c0t3d0s0  c0t3d0s2  c0t3d0s4  c0t3d0s6  c0t6d0s0  c0t6d0s2  c0t6d0s4
c0t6d0s6 c0t3d0s1  c0t3d0s3  c0t3d0s5  c0t3d0s7  c0t6d0s1  c0t6d0s3
c0t6d0s5 c0t6d0s7 # mount /dev/dsk/c0t3d0s2 /mnt # cd /mnt/etc


######
edit files in vi
######

# cat /mnt/etc/passwd
root:x:0:0:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/: nobody4:x:65534:65534:SunOS 4.x
Nobody:/: # # # cat /mnt/etc/shadow
root::6445::::::
daemon:NP:6445::::::
bin:NP:6445::::::
sys:NP:6445::::::
adm:NP:6445::::::
lp:NP:6445::::::
uucp:NP:6445::::::
nuucp:NP:6445::::::
listen:*LK*:::::::
nobody:NP:6445::::::
noaccess::6445::::::
nobody4:NP:6445::::::
#
#
#
# cat /mnt/etc/default/passwd
#ident  "@(#)passwd.dfl 1.3     92/07/14 SMI"
MAXWEEKS=
MINWEEKS=
PASSLENGTH=
#
#
#
# cat /etc/mnt/default/login
cat: cannot open /etc/mnt/default/login
# cat /mnt/etc/default/login
#ident  "@(#)login.dfl  1.10    99/08/04 SMI"   /* SVr4.0 1.1.1.1       */

# Set the TZ environment variable of the shell.
#
#TIMEZONE=EST5EDT

# ULIMIT sets the file size limit for the login.  Units are disk blocks. #
The default of zero means no limit. # #ULIMIT=0

# If CONSOLE is set, root can only login on that device.
# Comment this line out to allow remote login by root.
#
CONSOLE=/dev/console

# PASSREQ determines if login requires a password.
#
PASSREQ=NO

# ALTSHELL determines if the SHELL environment variable should be set #
ALTSHELL=YES

# PATH sets the initial shell PATH variable
#
#PATH=/usr/bin:

# SUPATH sets the initial shell PATH variable for root
#
#SUPATH=/usr/sbin:/usr/bin

# TIMEOUT sets the number of seconds (between 0 and 900) to wait before #
abandoning a login session. # #TIMEOUT=300

# UMASK sets the initial shell file creation mode mask.  See umask(1). #
#UMASK=022

# SYSLOG determines whether the syslog(3) LOG_AUTH facility should be used #
to log all root logins at level LOG_NOTICE and multiple failed login #
attempts at LOG_CRIT. # SYSLOG=YES

# SLEEPTIME controls the number of seconds that the command should # wait
before printing the "login incorrect" message when a # bad password is
provided.  The range is limited from # 0 to 5 seconds. # #SLEEPTIME=4

# RETRIES determines the number of failed logins that will be
# allowed before login exits.
#
#RETRIES=5
#
# The SYSLOG_FAILED_LOGINS variable is used to determine how many failed #
login attempts will be allowed by the system before a failed login # message
is logged, using the syslog(3) LOG_NOTICE facility.  For example, # if the
variable is set to 0, login will log -all- failed login attempts. #
#SYSLOG_FAILED_LOGINS=5 # # # #

#
# reboot
syncing file systems... done
rebooting...
)esetting ...
SPARCstation 20 MP (2 X 390Z55), No Keyboard
ROM Rev. 2.15, 192 MB memory installed, Serial #3443064. Ethernet address
8:0:20:20:1b:79, Host ID: 72348978.



Rebooting with command:
Boot device: /iommu/sbus/espdma/esp/sd@3,0:a  File and args: SunOS Release
5.8 Version Generic_108528-03 32-bit Copyright 1983-2000 Sun Microsystems,
Inc.  All rights reserved. configuring IPv4 interfaces:ifconfig:
supportsun20: bad address  le0.
Hostname: supportsun20
The / file system (/dev/rdsk/c0t3d0s0) is being checked.
/dev/rdsk/c0t3d0s0: UNREF FILE I=241739  OWNER=root MODE=100644
/dev/rdsk/c0t3d0s0: SIZE=4 MTIME=Jul  3 13:01 2004  (CLEARED)
/dev/rdsk/c0t3d0s0: FREE BLK COUNT(S) WRONG IN SUPERBLK (SALVAGED)
/dev/rdsk/c0t3d0s0: 21825 files, 552552 used, 722391 free
/dev/rdsk/c0t3d0s0: (1855 frags, 90067 blocks,  0.1% fragmentation) The
system is coming up.  Please wait. checking ufs filesystems
/dev/rdsk/c0t3d0s7: is stable.
starting rpc services: rpcbind done.
Setting default IPv4 interface for multicast: add net 224.0/4: gateway
supportsun20
supportsun20: bad value
syslog service starting.
syslogd: line 24: WARNING: loghost could not be resolved
Print services started.
volume management starting.
Jul  6 15:08:00 supportsun20 snmpdx: unable to get my IP address:
gethostbyname(supportsun20) failed [h_errno: ???(-1)]
The system is ready.

supportsun20 console login:

****************************************************************************
*
*
* Starting Desktop Login on display :0...
*
* Wait for the Desktop Login screen before logging in.
*
****************************************************************************
*


****************************************************************************
*
*
* The X-server can not be started on display :0...
*
****************************************************************************
*

supportsun20 console login:
supportsun20 console login: root
Password:
Login incorrect
supportsun20 console login: _______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Wed Jul 7 10:20:39 2004

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:33 EST