How to Manage Password Aging in Solaris, AIX, and Linux

LogoIts possible that sometime in your short, meaningless life, you may need to create an account that has a password that is set to never expire. This is somethimes the case with headless accounts and specialty accounts such as the type you might have to setup for monitoring or security scanning. You might also find yourself setting up shared headless accounts that have locked passwords in order to block direct logins. This second scenario can be especially troublesome when this is some sort of application or database user with cron jobs, as even an account without a password and expire and lock. If this occurs all of a users cron jobs will fail. All because the account expired.

So today we are going to configure a user password not to expire.

Lets start with Solaris. First lets unlock the account just in case.

passwd -d username

Now you can turn off password aging for a user with the command below.

passwd -x -1 username

You can then verify your config with the following.

passwd -s dmadmin

The output of the command above should look similar to what I have below. In this example our user id is myuser.

#passwd -s myuser
myuser  PS

Compare what you see above to the output below for our example myuser1, which includes the date that the password was last changed, the minimum number of days between password changes, the maximum number of days required between password changes, and the number of days of warning a user is given before a password expires. Standard system password aging and expiration still applies.

#passwd -s myuser1
myuser1  PS    09/30/13     7    28     7

Now lets move on to Linux. First lets ulock. Then we will configure the password to not expire. Then we can verify our work with the chage -l command.

passwd -u username
chage -m 0 -M 99999 -I -1 -E -1 username
change -l username

So now lets take a visit to AIX land. Remember to not stay long. Again, its always best to make sure that the current password is not locked. Then we configure the password to not expire. Finally we step back and admire our work.

chuser account_locked=false username
chuser maxage=0 username
lsuser -f USERNAME | fgrep expires

Related articles

SuperUser in Linux
How to Unlock an account in Linux
How to Reset a Password on Unix
Much Todo About Linux/RHEL Passwords
Enycrypting Passwords Via SSL for Redhat Kickstart Configuration Files
How to disable an user account in Linux

Solaris Soft and Hard Limits

Handle_2

Hard limits are a kernel-configurable item, and users can’t exceed them. Soft limits are the user defaults, and users can change that using the ulimit program or the limit/unlimit builtins.

Basically, soft limits can be changed to anything up to the hard limit. Think of soft limits as the warning barrier. When a user reaches the soft limit they will get an warning message but are still allowed to use more space up to the hard limit.

Also, you can configure the system to set expiration times for users who have exceeded their soft limit. You can set both soft and hard limits. The system will not allow a user to exceed his or her hard limit. However, a system administrator may  set a soft limit (sometimes referred to as a quota), which the user can temporarily exceed. The soft limit must be less than the hard limit.

Use ulimit -a to check soft limits, and ulimit -Ha to check hard limits. These values will display as open files.

You can set these values by placing the following entries in /etc/system.

This will require a reboot

set
rlim_fd_max=8192
set rlim_fd_cur=256

Note that rlim_fd_max is the hard limit, and rlim_fd_cur is the current limit (or soft limit)

Solaris Network Connection Performance Part I

Monitoring Solaris Ethernet Performance

Netstat -i

This option is used to diagnose the network problems when  the connectivity is there but  it is slow in response .

Values to look at:

    * Collisions (Collis)
    * Output packets (Opkts)
    * Input errors (Ierrs)
    * Input packets (Ipkts)

Network collision rate = Output collision counts / Output packets

Network-wide collision rate greater than 10 percent  will indicate

    *  Overloaded network,
    *  Poorly configured network,
    *  Hardware problems. 

Input Packet Error Rate = Ierrs / Ipkts.

If the input error rate is high (over 0.25 percent), the host is dropping packets. Hub/switch cables etc needs to be checked for potential problems. 

Name  Mtu  Net/Dest   Address    Ipkts     Ierrs Opkts     Oerrs Collis Queue
lo0   8232 loopback   localhost  43523390  0     43523390  0     0      0
hme0  1500 <hostname> <hostname> 561847305 886   483621617 0     0      0
qfe0  1500 <hostname> <hostname> 13480886  1     1521743   0     0      0

You can also use the following to determine the the ethernet interface link status,and speed on your interface. In the example below I am running these on hme0

ndd -set /dev/hme instance 0
ndd -get /dev/hme link_status
ndd -get /dev/hme link_mode
ndd -get /dev/hme link_speed

If you have only one ethernet interface, you can leave out the instance
command. Otherwise, you can specify the hme instance number there. The
results of the next three commands are either 1 or 0. In each case, the
value means:

link_status:  0=down 1=up

link_mode:   0=half duplex  1=full duplex

link_speed:  0=10Mbps  1=100Mbps

You can also use the following netstat command. Replace ce0 with your ethernet adapter

>netstat -k ce0 | egrep ‘link_speed|link_status|link_duplex’
lp_cap_asmpause 1 lp_cap_pause 0 link_T4 0 link_speed 1000
link_duplex 2 link_asmpause 0 link_pause 0 link_up 1 mac_mtu 1522

How to read this junk:
link_up – 0 down, 1 up


link_speed – speed in Mbit/s



link_duplex – 1 half duplex, 2 full duplex, 0 down

Sun RSC Configuration for the v480 & v490

Sun_fire_v490_server
Introduction

This page describes how to setup and manage a Sun RSC (Remote Serial Console) on the v480 and v490, as well as the e250 and e450. I omitted the latter two as those systems are ancient.

Before You Begin

Assign an IP address, netmask and gateway to the server. You must
download the RSC utilities version 2.2.3 or later to the server and run
the utilities before you can configure the server’s RSC.

Steps

  • Log in as root to the V490 or V890 manageable server.
  • Download the RSC version 1.2.3 utilities zip file.Go to http://www.sun.com/servers/rsc.html. Download the zip file appropriate for the Solaris operating system installed on the server:

Solaris 9 or later: rsc2.2.3_packages_s9.zip
Solaris 8: rsc2.2.3_packages_s8.zip
When the download has completed, unzip the file to a temporary directory, and then change directory to the temporary directory.

  • Install the RSC version 2.2.3 packages on the manageable server.

Install the following packages on the server using the pkgadd command:
SUNWrsc – the RSC base package for installation on the host machine
SUNWrscd – the RSC documentation package
SUNWrscj – the RSC GUI package to display the RSC GUI

If you are asked whether to install conflicting files, type Y to override the existing version.

Redirecting the Console to the RSC

After RSC software is installed and configured, the system
console is still available as on any normal Sun machine. To enable RSC
as the system console device instead, you must access the server
console, shut down the system, and type the following commands at the
ok prompt:

ok diag-console rsc

ok setenv input-device rsc-console

ok setenv output-device rsc-console

RSC Commands

The RSC commands are located in the following path:
/usr/platform/SUNW,Sun-Fire-V490/rsc

rsc-config
/usr/platform/SUNW,Sun-Fire-V490/rsc/rsc-config

The command above can be used to configure the RSC.

The rscadm command has many options see below.

rscadm - COMMAND DETAILS
  rscadm help => this message
  rscadm date [-s] | [[mmdd]HHMM | mmddHHMM[cc]yy][.SS] => print or set date
  rscadm set <variable> <value> => set variable to value
  rscadm show [variable] => show variable(s)
  rscadm resetrsc [-s] => reset RSC (-s soft reset)
  rscadm download [boot] <file> => program firmware or [boot] monitor
  rscadm send_event [-c] "message" => send message as event (-c CRITICAL)
  rscadm useradd <username> => add RSC user account
  rscadm userdel <username> => delete RSC user account
  rscadm usershow [username] => show user details
  rscadm userpassword <username> => set user password
  rscadm userperm <username> [cuar] => set user permissions
  rscadm shownetwork => show network configuration
  rscadm loghistory => show RSC event log
  rscadm version => show RSC version

Below is the SHOW option

mail_enabled="false"
ip_mode="config"
ppp_enabled="false"
tpe_link_test="true"
serial_baud="9600"
serial_parity="none"
serial_stop="1"
serial_data="8"
customerinfo=""
ip_addr="xxx.xx.xxx.xxx"
ip_netmask="255.255.xxx.x"
ip_gateway="0.0.0.0"
mailhost=""
mailuser=""
ppp_local_ip_addr="0.0.0.0"
ppp_remote_ip_addr="0.0.0.0"
hostname="xxxxxx"
escape_char="~"

 

 

Handy Crontab Header

# minute (0-59),
# |      hour (0-23),
# |      |       day of the month (1-31),
# |      |       |       month of the year (1-12),
# |      |       |       |       day of the week (0-6 with 0=Sunday).
# |      |       |       |       |       commands
3       2       *       *       0,6     /some/command/to/run
3       2       *       *       1-5     /another/command/to/run

Solaris Printing and You!

I hardly ever have a request to add a printer to a Solaris box, but every one and a while a developer needs me to add one. Not that I have any idea what they are printing…

Below are my notes…

Adding a Printer:

In the example below we are adding a printer with the -p option for the printer name, the -s for the print server, and -D for the description.

# lpadmin -p luna -s saturn 
# lpadmin -p luna -D "Room 1954 ps"
# lpadmin -d luna
# lpstat -p luna



Verify you can print with the following command
$ lp -d printer-name filename


Solaris Volume Manager

RaidSolaris Volume Manager (formerly known as Online: DiskSuite, and later Solstice DiskSuite is a software package for creating, modifying and controlling RAID disks in Solaris. The process below outlines steps that you need to take to setup basic root disk mirroring.

Adding a new Disk? Create your Partition Table for your Mirror:

Using the format command, select your initial disk. Then select par, then
name to save off you partition table to disk.

Then switch to the other disk and label the other disk with the saved
partition table.

Md.tab — add mirror information:

The file /etc/md.tab is basically a map file where you define your metadevices and the physical devices that they represent. In the example below the metadevice d0 has two submirrors, d10 and d20.

For Example:
d0      -m              d10
d10             1 1     /dev/dsk/c0t0d0s0
d20             1 1     /dev/dsk/c0t1d0s0
#swap mirror
d1      -m              d11
d11             1 1     /dev/dsk/c0t0d0s1
d21             1 1     /dev/dsk/c0t1d0s1
#var mirror
d4      -m              d14
d14             1 1     /dev/dsk/c0t0d0s4
d24             1 1     /dev/dsk/c0t1d0s4

Add Meta Databases:

bash-3.00# metadb -c 3 -f -a /dev/dsk/c5t0d0s3
bash-3.00# metadb -c 3 -f -a /dev/dsk/c5t4d0s3

Make sure that you create them on the correct slice. The normal standard that I follow, has me creating them on slice 3.
In the example above you are creating 3 metadbs on the mirror disk. Not sure if you need the -f option on the second db, but it does not seem to cause any issues.

Initialize
your Mirrors:

In the example below you are initializing your one way mirror. These are the entries from the md.tab. Here I am initializing each side of the mirror. Note that you do not need to specify "d10 1 1 c5t0d0s0" if you have added this information to the md.tab Use the '-f' switch when the filesystem on that slice is currently mounted.

EXAMPLE for Slice 0:

bash-3.00# metainit -f d10 1 1 c5t0d0s0
d10: Concat/Stripe is setup
bash-3.00# metainit d20 1 1 c5t4d0s0
d10: Concat/Stripe is setup

.

Attach your First
Submirror:

The example below shows how attach your one way mirror to your metadevice. Once this step is complete. You will want to reboot, and attach the other side of the mirror. You can then edit the /etc/fstab with the new metadevices.

EXAMPLE:

metainit d0 -m d10

 


Metaroot to Create root mirror in fstab:

The metaroot command is used to modify the /etc/fstab

metaroot d0

Then modify any other entries.

Attach Secondary Mirror:

metattach d20

Other Helpful Commands:

How to Delete Metadbs:

If you need to start over, you can use the command below to remove metadatabases.

metadb -d -f /dev/dsk/diskname

Inpect your Metadbs:

# metadb -i
        flags           first blk       block count
     a        u         16              8192            /dev/dsk/c0t0d0s7
     a        u         16              8192            /dev/dsk/c0t1d0s7
     a        u         16              8192            /dev/dsk/c0t2d0s7

How to Detach Mirrors:

metadetach mirror submirror

metadetach d0 d20

after completing the step above you should clear the concat/stripe

metaclear d20

Metastat:

Metastat gives you the status of your mirrors

# metastat
d7: RAID
    State: Initializing
    Initialization in progress: 12.2% done <== not done yet
    Interlace: 32 blocks
    Size: 208618176 blocks (99 GB)
Original device:
    Size: 208627648 blocks (99 GB)
        Device     Start Block  Dbase        State Reloc  Hot Spare
        c0t0d0s7      10506       Yes Initializing   Yes
        c0t1d0s7      10506       Yes Initializing   Yes
        c0t2d0s7      10506       Yes Initializing   Yes