Protect System Accounts
The system ships with all the system accounts, including root
with empty passwords. The only one you need access to is root,
so you should give it a password and disable the others.
Login as root -- you won't need a password yet. Give root a password
with the passwd command, eg:
There's a handy account which you'll use later to configure your networking. But it must also be password-protected. Similarly, do:
wirehead# passwd EZsetup
Disable Other Accounts
The SGI ships with a number of system and guest accounts of dubious
worth and posing potential threats. These include: lp, nuucp, auditor,
dbadmin, rfind, demos, OutOfBox, guest, and 4Dgifts. There are two
different ways of disabling login to these accounts, and you should
make sure every account either has a password or is disabled.
Disable with vi
You can edit the /etc/passwd file with that vile editor,
vi. If any password field is empty (the second colon-delimited
field), insert an asterisk (*) to disable it. You want to
turn entries that look like:
into entries like
It might even be prudent to replace the shells /bin/csh
with /bin/false if you're sure you won't break anything you
need. You might want to do this for user uucp but not for
lp, for example.
Accounts with login disabled this way will not show up on the SGI
visual login screen on the console.
Disable with passwd -l
You can also lockout passwords for each user with the passwd -l
command. You have to do this for each user, so I used a little
foreach luser (lp nuucp demos OutOfBox guest 4Dgifts)
passwd -l $luser
This changes the empty password fields into *LK*
Interestingly, accounts disabled this way will show up on the SGI
console visual login.
Create shadow password file
After securing the /etc/passwd file, use the
/sbin/pwconf to convert the /etc/shadow shadow password
This removes encrypted passwords from the world-readable passwd
file so they can't be cracked by brute-force and puts them in the
protected shadow file.
[Is there any negative impact here on the Visual account creation
tool, NIS account creation, etc??]
Logout now. Next thing to do is use EZsetup
to start configuring the network. After that, you'll need to do some
further work to finish network