How to Manage Password Aging in Solaris, AIX, and Linux

LogoIts possible that sometime in your short, meaningless life, you may need to create an account that has a password that is set to never expire. This is somethimes the case with headless accounts and specialty accounts such as the type you might have to setup for monitoring or security scanning. You might also find yourself setting up shared headless accounts that have locked passwords in order to block direct logins. This second scenario can be especially troublesome when this is some sort of application or database user with cron jobs, as even an account without a password and expire and lock. If this occurs all of a users cron jobs will fail. All because the account expired.

So today we are going to configure a user password not to expire.

Lets start with Solaris. First lets unlock the account just in case.

passwd -d username

Now you can turn off password aging for a user with the command below.

passwd -x -1 username

You can then verify your config with the following.

passwd -s dmadmin

The output of the command above should look similar to what I have below. In this example our user id is myuser.

#passwd -s myuser
myuser  PS

Compare what you see above to the output below for our example myuser1, which includes the date that the password was last changed, the minimum number of days between password changes, the maximum number of days required between password changes, and the number of days of warning a user is given before a password expires. Standard system password aging and expiration still applies.

#passwd -s myuser1
myuser1  PS    09/30/13     7    28     7

Now lets move on to Linux. First lets ulock. Then we will configure the password to not expire. Then we can verify our work with the chage -l command.

passwd -u username
chage -m 0 -M 99999 -I -1 -E -1 username
change -l username

So now lets take a visit to AIX land. Remember to not stay long. Again, its always best to make sure that the current password is not locked. Then we configure the password to not expire. Finally we step back and admire our work.

chuser account_locked=false username
chuser maxage=0 username
lsuser -f USERNAME | fgrep expires

Related articles

SuperUser in Linux
How to Unlock an account in Linux
How to Reset a Password on Unix
Much Todo About Linux/RHEL Passwords
Enycrypting Passwords Via SSL for Redhat Kickstart Configuration Files
How to disable an user account in Linux
Advertisements

Sudosh Make Me a Sandwich: Install and Configure Sudosh in Solaris 9/10

SandwichWelcome to the way-back machine again. This time we are going to take a look at installing and configuring sudosh on Solaris with the purpose of using sudosh as a replacement for sudo (at least sudo to root). Using sudosh in this manner allows us to still allow users to become root, but also allows us to track each and every command that they run once they become root.

Note that there are a couple of ways to install sudosh: from source or from a package. I chose installing from a native solaris package for a couple of reasons.

  1. I found a package
  2. I would need a C compliler otherwise to compile it
  3. I had many systems on which to install sudosh

So the first think that I did was to install the package. Below I have dropped the package in /tmp and have gunzipped it.

# pkgadd -d ./sudosh2-1.0.2-sol10-sparc-local

Now, lets not be stupid, lets back up the sudoers file first.

# cd /usr/local/etc/

# cp sudoers sudoers.20140114

Now we can run visudo and modify the current sudoers file. First you should add the command alias below as it keeps things neat and simple.

Cmnd_Alias      SUDOSH=/usr/local/bin/sudosh

Now lets referece the alias that we created above in the User Privilege Section. Rinse and repeat for any user or group that is allowed to become root.

systems ALL=(ALL)       SUDOSH

Now we are going to make a modification to /usr/local/etc/sudosh.conf. Note that this step is not required. I am changing the default syslog facility used so that sudosh will log using the same facility as regular auth events.

syslog.priority         = LOG_INFO
syslog.facility         = LOG_AUTH

Now I am modifying my syslog.conf to ensure that all log messages of DEBUG level or higher are forwarded to my remote syslog hosts. This includes my sudosh events which have a priority of INFO. Note that spacing is very important in the solaris syslog.conf

#loghost
*.debug @loghost1
*.debug @loghost2

Since this is Solaris 10, we can restart syslog via svcadm

# svcadm restart svc:/system/system-log:default

 

FYI – Relevant xkcd here

 

Related articles

Sudo
Preparing a SUN/ORACLE Solaris server for SAN access – SAN step 4
Sun First Ever UltraSPARC-based Laptop

Solaris Package Management Cheat Sheet

packageBasic Solaris Package Management Commands

Show description about a package

pkginfo -l <pkg>

Install a package

pkgadd -d <pkg-file>

Remove a package

pkgrm <pkg>

Find package which owns a file

pkgchk -l -p <file>

List files installed by a package

pkgchk -l <pkg>|awk '/^Pathname/ {print $2}'

List files in package file

pkgchk -l -d <pkg-file>|awk '/^Pathname/ {print $2}'

List all installed packages

pkginfo

Verify integrity of installed files from a package

pkgchk <pkg>

Verify integrity of install files from all packages

pkginfo|awk '{print $2}'|xargs pkgchk

Solaris: How to Resize a Swap Partition….on a disk without any free slices

First lets detach the swap partition (submirror) on the secondary disk. Where d1 is the metadevice and d21 is the submirror

#metadetach d1 d21
d1: submirror d21 is detached

metaclear d21
d21: Concat/Stripe is cleared

Now lets format Secondary Disk (c1t1d1 in this example)

Below is the partition table of the disk that I am working with. Slice one will be resized using unallocated disk space. Add 1 to the last cylinder of slice 7 to determine your starting cylinder. In this case my new starting cylinder is 2691.

Total disk cylinders available: 14087 + 2 (reserved cylinders)
Part Tag Flag Cylinders Size Blocks
0 root wm 0 - 824 4.00GB (825/0/0) 8395200
1 swap wu 825 - 1031 1.00GB (207/0/0) 2106432
2 backup wm 0 - 14086 68.35GB (14087/0/0) 143349312
3 unassigned wm 1032 - 1038 34.78MB (7/0/0) 71232
4 var wm 1039 - 1657 3.00GB (619/0/0) 6298944
5 home wm 1658 - 2070 2.00GB (413/0/0) 4202688
6 stand wm 2071 - 2277 1.00GB (207/0/0) 2106432
7 stand wm 2278 - 2690 2.00GB (413/0/0) 4202688

Now resize the partition
In this case I am going to use the rest of the disk, which according to the information for partition two, ends @ cylinder 14087. Subtract 2691 from 14087, to determine how many cylinders your slice is going to be.

Enter partition id tag[swap]:
Enter partition permission flags[wu]:
Enter new starting cyl[825]: 2691
Enter partition size[2106432b, 207c, 1028.53mb, 1.00gb]: 11396c

Now save this new partition scheme

Enter table name (remember quotes): my_table

Then label your disk. As you can see below, my swap partition is now huge.

Part Tag Flag Cylinders Size Blocks
0 root wm 0 - 824 4.00GB (825/0/0) 8395200
1 swap wu 2691 - 14086 55.30GB (11396/0/0) 115965696
2 backup wm 0 - 14086 68.35GB (14087/0/0) 143349312
3 unassigned wm 1032 - 1038 34.78MB (7/0/0) 71232
4 var wm 1039 - 1657 3.00GB (619/0/0) 6298944
5 home wm 1658 - 2070 2.00GB (413/0/0) 4202688
6 stand wm 2071 - 2277 1.00GB (207/0/0) 2106432
7 stand wm 2278 - 2690 2.00GB (413/0/0) 4202688
Now lets Swap the Swap


First, reinitialize swap submirror.
metainit d21
d21: Concat/Stripe is setup

Add swap to new submirror

\swap -a /dev/md/dsk/d21

View swap

swap -l
swapfile dev swaplo blocks free
/dev/md/dsk/d1 85,1 16 2106416 2106416
/dev/md/dsk/d21 85,21 16 115965680 115965680

Remove the metadevice from swap

swap -d /dev/md/dsk/d1

Verify that previous step worked

swap -l
swapfile dev swaplo blocks free
/dev/md/dsk/d21 85,21 16 115965680 115965680

Clear Metadevice/Mirror

metaclear d1
Mirror is cleared
Clear Metadevice/submirror
metaclear d11
d11: Concat/Stripe is cleared

Format Primary Disk (c1t1d0 in this example)

Select a predefined table

partition> select
0. original
1. my_table
Specify table (enter its number)[0]: 1
View the partition table, and make sure it looks right.
Total disk cylinders available: 14087 + 2 (reserved cylinders)

Part Tag Flag Cylinders Size Blocks
0 root wm 0 - 824 4.00GB (825/0/0) 8395200
1 swap wu 2691 - 14086 55.30GB (11396/0/0) 115965696
2 backup wm 0 - 14086 68.35GB (14087/0/0) 143349312
3 unassigned wm 1032 - 1038 34.78MB (7/0/0) 71232
4 var wm 1039 - 1657 3.00GB (619/0/0) 6298944
5 home wm 1658 - 2070 2.00GB (413/0/0) 4202688
6 stand wm 2071 - 2277 1.00GB (207/0/0) 2106432
7 stand wm 2278 - 2690 2.00GB (413/0/0) 4202688

Label disk
partition> label
Ready to label disk, continue? y

Put things back the way they were.

Reinitialize the swap submirror on the primary disk

metainit d11
d11: Concat/Stripe is setup

Reinitialize Metadevice Mirror

metainit d1
d1: Mirror is setup

Add the metadevice to swap
swap -a /dev/md/dsk/d1

… and verify that it took

swap -l
swapfile dev swaplo blocks free
/dev/md/dsk/d21 85,21 16 115965680 115965680
/dev/md/dsk/d1 85,1 16 115965680 115965680

Remove the submirror that you added to swap in the step above

swap -d /dev/md/dsk/d21

Reattach Submirror d21 to Mirror d1

metattach d1 d21
d1: submirror d21 is attached

Redefine dump device

dumpadm -d swap
Dump content: kernel pages
Dump device: /dev/md/dsk/d1 (swap)
Savecore directory: /var/crash/blahblah
Savecore enabled: yes

Related articles

SwapFaq’s
Repartitioning a Linux Cloud Server
HomeLab: Cisco Switch Boot Alternate IOS Image
Solaris 9 Scan for New SAN Luns & and Vertias Volume Manager Quick Start

Solaris Soft and Hard Limits

Handle_2

Hard limits are a kernel-configurable item, and users can’t exceed them. Soft limits are the user defaults, and users can change that using the ulimit program or the limit/unlimit builtins.

Basically, soft limits can be changed to anything up to the hard limit. Think of soft limits as the warning barrier. When a user reaches the soft limit they will get an warning message but are still allowed to use more space up to the hard limit.

Also, you can configure the system to set expiration times for users who have exceeded their soft limit. You can set both soft and hard limits. The system will not allow a user to exceed his or her hard limit. However, a system administrator may  set a soft limit (sometimes referred to as a quota), which the user can temporarily exceed. The soft limit must be less than the hard limit.

Use ulimit -a to check soft limits, and ulimit -Ha to check hard limits. These values will display as open files.

You can set these values by placing the following entries in /etc/system.

This will require a reboot

[code language=”css”]
set
rlim_fd_max=8192
set rlim_fd_cur=256
[/code]

Note that rlim_fd_max is the hard limit, and rlim_fd_cur is the current limit (or soft limit)

Sun 5220 Console and ILOM How To

solaris_logo

As far as I know this documentation is specific to Sun T5150s and Sun T5250s. However some of the information below may also pertain to other Sun systems running ILOM.

ILOM Commands

To power on the host, type:

start /SYS

To power off the host, type:

stop /SYS

To reset the host, type:

reset /SYS

How to set the system not to auto boot the OS

Example:

-> set /HOST/bootmode script=”setenv auto-boot? false”

Press Enter and then type:

-> reset /SYS

Accessing the Console from ILOM

start /SP/console

Configuring a Static IP Address Using CLI and Ethernet

Log in to the ILOM using Secure Shell (SSH) over the network, or
by connecting a terminal to the serial port. To establish a Secure Shell (SSH)
connection to the CLI, type the appropriate connection command in the
SSH application. For example, to connect to the ILOM with an IP address
of 129.144.82.20, type the following command:

# ssh -l root 129.144.82.20

Type the following command to set the working directory.

cd /SP/network

Type the following commands to specify a static Ethernet
configuration.

Note – The following values are samples only. You must specify the IP
address, netmask, and gateway appropriate for your ILOM and network
configuration.

set pendingipaddress=129.144.82.26
set pendingipnetmask=255.255.255.0
set pendingipgateway=129.144.82.254
set pendingipdiscovery=static
set commitpending=true

Solaris HBA Notes

Below is a cheat sheet that I put together of commands that are helpful for managing HBAs on Solaris.

Helpful Commands

  • luxadm probe
  • luxadm -e port
  • devfsadm

More Helpful Commands

  • To show Sun/Qlogic HBA’s:

luxadm qlgc

  • To show all vendor HBA’s — see sample output below:

luxadm fcode_download -p

Found Path to 0 FC100/S Cards

Complete

Found Path to 5 FC100/P, ISP2200, ISP23xx Devices

Opening Device: /devices/pci@9,600000/SUNW,qlc@2/fp@0,0:devctl

Detected FCode Version:       ISP2200 FC-AL Host Adapter Driver: 1.14 01/11/20

Opening Device: /devices/pci@8,700000/SUNW,qlc@5,1/fp@0,0:devctl

Detected FCode Version:       ISP2312 Host Adapter Driver: 1.14.09 03/08/04

Opening Device: /devices/pci@8,700000/SUNW,qlc@3,1/fp@0,0:devctl

Detected FCode Version:       ISP2312 Host Adapter Driver: 1.14.09 03/08/04

Opening Device: /devices/pci@8,700000/SUNW,qlc@3/fp@0,0:devctl

Detected FCode Version:       ISP2312 Host Adapter Driver: 1.14.09 03/08/04

Opening Device: /devices/pci@8,700000/SUNW,qlc@5/fp@0,0:devctl

Detected FCode Version:       ISP2312 Host Adapter Driver: 1.14.09 03/08/04

Complete

  • Another Method of doing the same thing as above:

prtpicl -v > filename

  • To show link status of card:

luxadm -e port

  • See WWNS:

To see the WWN’s (using address given to you from previous commands), it is
the last one that specifies it is a HBA, so the port WWN here is 210000e08b100d16

# luxadm -e dump_map /devices/pci@1f,0/pci@1/SUNW,qlc@1/fp@0,0:devctl

Pos Port_ID Hard_Addr Port WWN Node WWN Type

0 10600 0 224100015d210900 220000015d210900 0x1f (Unknown Type)

1 10700 0 210000e08b103417 200000e08b103417 0x1f (Unknown Type)

2 10800 0 210000e08b100d16 200000e08b100d16 0x1f (Unknown Type,Host Bus Adapter

Configuring storage online

  • List unconfigured disks

cfgadm -al

Ap_Id Type Receptacle Occupant Condition

c0 scsi-bus connected configured unknown

c0::dsk/c0t0d0 disk connected configured unknown

c0::dsk/c0t2d0 CD-ROM connected configured unknown

c1 fc-fabric connected unconfigured unknown

c1::210000e08b103417 unknown connected unconfigured unknown

c1::224100015d210900 unknown connected unconfigured unknown

c2 fc-fabric connected unconfigured unknown

c2::210100e08b303417 unknown connected unconfigured unknown

c2::223100015d210900 unknown connected unconfigured unknown

So we can see that c1 and c2 are both unconfigured disks, so we now run the command below to configure them.

# cfgadm -f -c configure c1 c2

You can now run devfsadm.

Example cfgadm -al

c1                             fc-private

c1::21000020379cb9bb           disk         connected    configured   unknown

c4                             fc-fabric    connected    unconfigured unknown

c5                             fc           connected    unconfigured unknown

C1 is a 280r internal controller
C4 is a HBA attached to a switch with no targets
C5 is a HBA that has nothing connected

More Good Stuff

1) The command cfgadm -al

2) look for the fc-fabric

c2                             fc-fabric    connected

c3                             fc-fabric    connected

3) and then cfgadm -cconfigure c2 c3

4) Now you see the LUN

A Magical File – Check it Out

/kernel/drv/sd.conf

Checking IO on Fibre Cards

iostat -xcn 5

San Foundation Kit

You get this from Sun, install it after you install the drivers
There is no SAN foundation kit for Solaris 10. Installing the SAN foundation
kit will do bad things. It’s only for Solaris 8 and Solaris 9.

Get the WWN

 Method 1:

 

$ luxadm probe
$ luxadm -e port

$ luxadm -e dump_map <xyz> where xyz= your connected port.

Method 2:

bash-2.03# cat /var/adm/messages | grep -i WWN

Sep 20 18:23:28 alautpnc003 qlc: [ID 657001 kern.info] Qlogic qlc(0) WWPN=210000e08b934ead : WWNN=200000e08b934ead

Sep 20 18:23:39 alautpnc003 qlc: [ID 657001 kern.info] Qlogic qlc(1) WWPN=210100e08bb34ead : WWNN=200100e08bb34ead

Method 3:

#modinfo | grep SunFC

46 10274e94 20010 172 1 fcp (SunFC FCP v20050926-1.86)

47 10269923 8204 – 1 fctl (SunFC Transport v20050926-1.36)

51 1028b850 15e28 171 1 fp (SunFC Port v20050926-1.53)

53 10300f09 c5024 175 1 qlc (SunFC Qlogic FCA v20051013-2.08)

Method 4:

cfgadm -o show_FCP_dev -al

Method 5:

prtconf -pv | grep -i wwn | grep -i port