SUMMARY: Password Recovery

From: H. Mohamedali (
Date: Mon Jun 22 1998 - 19:41:25 CDT

My original posting:

> Hello all
> The root password recovery has been discussed very many times in this
> list, however I have aproblem that is a little bit different and judging
> from the way things are in this list, I am sure the gurus out there will
> come up with something to help out.
> We have a local sys admin (in another geographical reagion) who changed
> the root password and forgot it. The machine is a SCO UNIX dialup
> machine and was built from tape and diskettes. There's no CD-ROM
> installed on it.
> Could anyone give me a general guide line on how to recover from this
> disaster without having to break the machine? Any help/hints/suggestions
> is greatly appreaciated.
> Thanks in Advance.


I was practically bombarded with suggestions on the above topic but
unfortunately the local sys. admin beat me to the bell. Apparently with
the help of a friend he removed the boot disk (it was an external
one??!!??) and placed it on another machine with similar configuration
that also had a CDROM and booted with the CDROM to single user. After
that it was a piece of cake. And some of you guys suggested that

I'd like to thank all you guys out there for the wonderful suggestions
and I have included all the correspondence that I received. Hope it will
help someone out there someday.

PS: I had taken a few days off and was unable to reply to some of the
questions that one or two gurus out there had asked. Sorry.

Huzefa Mohamedali

> SCO is not SOLARIS.
> Techniques that work on THIS platform will probably NOT work on SCO.
> You need to check a SCO oriented list.
> IF the password is in the BIOS, you're SOL EXCEPT for unplugging the
> battery, but if you do that, you lose all your disk configurations too.
> --
> Jim Harmon The Telephone Connection
> Rockville, Maryland

> SCO unix should have some boot diskettes that you can use to boot into
> single user mode and change the password.
> Of course, my personal favorite way is to hack the root account. If your
> server is not current with the security patches, and you have access to a
> compiler on a SCO environment, you should be able to hack root with a
> little bit of help from
> Joel

> How about boot from tape or diskette media ? (Consult SCO manual). If
> that;s not a possibility, then the next thing you might want to try is to
> set up another SCO as a boot server, then boot the sco machine in question
> from the network.
> -- Joel Lee

> Well, I am sure someone will have a simpler fix, but this is one I have
> actually used.
> Caveats, Disclaimers, Warnings, Notices, and Other:
> Use this information at your own risk. I am not liable or responsible for
> anything that may happen from your use of this information in any way for
> any reason. This information is NOT provided for use in penetrating the
> security of a system you are not already authorized to access with root
> permission.
> This procedure should only be performed with permission (cover your a$$) of
> your immediate supervisor and/or network administrator. Use of this
> information to penetrate system security on systems you are not authorized
> to use at root permission can result in severe civil and criminal
> penalties. Accessing a machine you are not authorized to is a violation of
> Federal law in the United States. You have been warned.
> How to Regain Root Access:
> First you need a SCO boot floppy with a minimal kernal, vi or ed, and mount
> on it. If you don't already have one, you can use a custom tailored Unix
> bootdisk for another UNIX (like Linux or FreeBSD) but this may a) not work
> or b) destroy your filesystem.
> Boot the SCO from the boot disk and login to the default shell as root. At
> this point, none of the internal drives should be mounted.
> Make a subdirectory on the floppy filesystem called recover or some such.
> Mount the root partition of the drive to the recover subdirectory on the
> boot floppy in read/write mode.
> You may have to use the FORCE mount option (which can KILL your root
> partition!) to get it to mount
> After the root partition is mounted, it should be trivial to remove the
> password for the root account from the password table, save, unmount,
> reboot and remove the boot floppy.
> Don't try to reset the root password, just clear out the password field.
> Once you can bring the SCO back up (in single user!) then login as root,
> which may give you warnings but shouldn't ask for a password, and use the
> admin shell to set a new root password and rebuild the password file(s)
> correctly.
> I have used a variant of this procedure to regain access to my firewall in
> similar circumstances.
> Using a DOS driver for NTFS, much the same effect can be accomplished (with
> much more work) on an NT system.
> Variants of this work for any system you can build the appropriate boot
> disk for. Also, afterwards, keep a spare "recovery" disk like this handy,
> but guard it well (i.e. a safe).
> --

> Oh dear,
> It is not a problem if you have emergency root and boot floppies for your
> SCO machines - if not, you are stuck. The only way around is to reload
> your os and reload your ''full'' system backups.
> The problem lies in the fact that you need the root password to enter
> maintenance mode.
> There are two ways to bypass the root password. The first is if the root
> entry in tcb is corrupt, and secondly if you have root and boot floppies
> so that you can purposely corrupt roots tcb entry.
> I am going to assume that you do have a root and boot.
> Firstly, as you cannot log in as root, power your system off.
> Load the boot floppy into the drive and power on.
> When prompted, load the root floppy.
> At the prompt, check the bootdisk by:
> fsck -y /dev/hd0root
> hd0root is a special device file purely for disaster recovery. Once fsck
> has finished, mount it
> mount /dev/hd0root /mnt
> change to /mnt/tcb/files/auth/r
> rename root
> mv root root.old
> cd /
> umount /mnt
> halt
> boot the machine.
> When the machine comes up, sysinit is run from inittab and when it finds
> a problem with roots account, it starts up in single user mode without a
> password.
> When you get control,
> cd /tcb/files/auth/r
> mv root.old root
> passwd root
> Don't forget the password!
> cd /
> shutdown -y -go -i6
> But of course, you need your emergency boot and root floppies!
> I hope that this has been of some help to you.
> P.S. SCO 5 is a lot easier as you can do it from the install media.
> --- Millard Simon
> Internet communications are not secure and therefore the Barclays Group does
> not accept legal responsibility for the contents of this message. Any views
> or opinions presented are solely those of the author and do not necessarily
> represent those of the Barclays Group unless otherwise specifically stated.

> Some older unix systems gave you root access as soon as you booted to
> single user mode (i.e. you do not need the root password)
> Not sure if SCO falls into this category, but if you have the command to
> boot to single user (OR shut down to single user mode) this may work for
> you.
> You didn't mention if you already have an active root login somewhere on
> the system....
> Doc

> Do you have a /etc/hosts.equiv or a ~root/.rhosts file in the SCO
> machine? If you have you can edit the /etc/passwd file in it remotely
> via rsh.
> If the SCO machine is mounting a remote file system via NFS you could
> copy a shell binary into it and make it set-uid-root (in the remote
> machine). Then you can run it (in the SCO machine) and aquire root
> privileges.
> Hope it helps.
> Gustavo.

> Can he:
> 1) Can the install tapes be used to place the system in a maintenance mode,
> so that the root directory can be mounted, and the password file edited?
> -- or --
> 2) Can the disk be removed, mounted on another SCO system, mounted their and
> edited?

> If you can get to the local console, reboot the machine into single user
> mode (which is logged in as root by default, without a password) then
> issue a passwd command. Not sure how if you can't get to the console.
> Bruce Bowler, Research Associate

> I'm not sure if Sun machines can read the SCO ufs filesystem, but I
> would try and mount the disk in another machine. If you only have one
> machine at the remote site you are going to have to take it down and
> install a minimal SCO on a new disk, themn mount the other disk and
> alter the password file, then swap the disks and reboot.
> Shriman Gurung

> I'm not sure if this would do any good, mostly since I havn't tried it, but
> for some reason I'm thinking it might work. Get yourself a Linux boot disk or
> something, assuming the machine is Intel architecture (if it's RISC I'm lost),
> and boot to a ramdisk. Then mount your / SCO partition to the ramdisk, edit
> the /etc/passwd file, sync the disks, and reboot.
> If you try this, please let me know if it works or not... I'd love to
> have something proven available to handle situations like that; I've been in
> close ones before myself.
> Thanks,
> John Berninger

> The recovery process is still basically the same. You boot from the
> installation media, to single-user mode, and get to a shell prompt. From
> there, you should be able to mount the root filesystem and edit
> /etc/passwd.
> Ronald Loftin

> I don't pretend to be an expert, but here goes ;-)
> All you have to do (of course ;-) is modify the root line in
> /etc/passwd. How this happens doesn't matter. Normally the easiest
> thing to do is to simply boot the machine off of different media
> (tape, cd-rom, network, etc) or a different partition, or a different
> disk (where you know or don't need the root password of course). Then
> you can mount the disk partition that contains /etc/passwd, edit the
> file, put everything back, and Bob's your uncle. Of course this could
> involve a lot of work. A common approach using this technique is to
> add a temporary disk, build an OS on it, then work from there. (In
> most cases, the second disk is a mirror disk).
> Theoretically (I don't know if anyone has done this), you could move
> the offending disk to another machine, then search the disk block by
> block until you find the passwd file (it whould be relatively simple
> to write a program to do this). Then change the root passwd in the
> "raw" block to something known, and put the disk back on the original
> machine. This sounds like something a hacker might have lying
> around...
> Since I don't know SCO, I'm afraid I can't offer more specific help.
> Best of luck,
> Rgds,
> -H-
> Harvey M Wamboldt

> You can share your cdrom locally and have the remote machine mount it. Fix
> your
> problem, umount and unshare the cdrom.
> Hope this helps,
> Janet

> Huzefa,
> Do you have a userid that you can log in with?
> Does SCO use /etc/passwd for passwords,
> or does it use /etc/shadow?
> If it uses /etc/passwd, the machine is vulnerable
> to crack. You can copy the file to a fast
> computer and run crack on it. Others in this
> group may tell you they have crack running, and
> you can send the file to them. This is likely
> to work only if the password is crackable.
> If the sysadmin was careful to choose a good
> password, it won't work or it may take forever.
> For future reference....
> it is a good idea to have multiple userids
> that have root privs. The likelihood of
> locking oneself out of multiple ids in one move
> is small.
> Can you get the machine into single user mode?
> I once set up a machine with a userid "shutdown"
> with no password, whose shell was /bin/shutdown.
> You could ONLY log in on the console
> (probably an /etc/system sestting??), and
> if you log in as shutdown, it went to single
> user mode without prompting for a password.
> Along these lines, you could set up some sudo
> commands so that some non-priviledged sysadm
> can run shutdown or passwd as root....
> make it someone different than the sysadm who
> changes root password...
> If there is a SCO group,
> maybe someone can send you a diskette
> to boot with. The principle is the same
> as booting off CD.
> Good luck.
> Please let me know how it goes if you don't
> summarize to the list.
> PS This discussion is the best argument for
> retaining the .rhosts setup that we have,
> security risk though it may be....
> My 3 machines are all trusted to each other.

> Attach another boot drive to the machine and persuade it to boot on
> it. Mount the original root drive and edit the password or shadow
> file as required.
> --

> Give me more information regarding the version, release, whether you
> have boot&root disks, or you N1 & N2 stiffies/floppies available,
> please.
> Regards,
> **************************************************************
> Wim Olivier

> The SCO install from floppy will come with a boot floppy. boot from the
> floppy and do about the same as you would with the CD on solaris, if you
> need step by step instructions please ask a SCO newsgrp or mailing list.
> -Wade

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:42 CDT