Protect System Accounts

The system ships with all the system accounts, including root with empty passwords. The only one you need access to is root, so you should give it a password and disable the others.

Root password

Login as root -- you won't need a password yet. Give root a password with the passwd command, eg:
wirehead# passwd
New password:
Verify password:

EZsetup password

There's a handy account which you'll use later to configure your networking. But it must also be password-protected. Similarly, do:
wirehead# passwd EZsetup
New password:
Verify password:

Disable Other Accounts

The SGI ships with a number of system and guest accounts of dubious worth and posing potential threats. These include: lp, nuucp, auditor, dbadmin, rfind, demos, OutOfBox, guest, and 4Dgifts. There are two different ways of disabling login to these accounts, and you should make sure every account either has a password or is disabled.

Disable with vi

You can edit the /etc/passwd file with that vile editor, vi. If any password field is empty (the second colon-delimited field), insert an asterisk (*) to disable it. You want to turn entries that look like:
guest::998:998:Guest Account,,,,,,,:/usr/people/guest:/bin/csh
into entries like
guest:*:998:998:Guest Account,,,,,,,:/usr/people/guest:/bin/csh

It might even be prudent to replace the shells /bin/csh with /bin/false if you're sure you won't break anything you need. You might want to do this for user uucp but not for lp, for example.

Accounts with login disabled this way will not show up on the SGI visual login screen on the console.

Disable with passwd -l

You can also lockout passwords for each user with the passwd -l command. You have to do this for each user, so I used a little csh script:
foreach luser (lp nuucp demos OutOfBox guest 4Dgifts)
	passwd -l $luser
This changes the empty password fields into *LK*

Interestingly, accounts disabled this way will show up on the SGI console visual login.

Create shadow password file

After securing the /etc/passwd file, use the /sbin/pwconf to convert the /etc/shadow shadow password file.

This removes encrypted passwords from the world-readable passwd file so they can't be cracked by brute-force and puts them in the protected shadow file.

[Is there any negative impact here on the Visual account creation tool, NIS account creation, etc??]


Logout now. Next thing to do is use EZsetup to start configuring the network. After that, you'll need to do some further work to finish network configuration.
Chris Shenton