• Share
  • ?
  • Profiles ▼
  • Communities ▼
  • Apps ▼

Blogs

  • My Blogs
  • Public Blogs
  • My Updates
  • Administration
  • Log in to participate

▼ Tags

 

▼ Similar Entries

Analyzing Global Mir...

Blog: The BVQ Blog
mipi 270004DGB0
Updated
0 people like thisLikes 0
No CommentsComments 0

Watch your Global Mi...

Blog: The BVQ Blog
mipi 270004DGB0
Updated
0 people like thisLikes 0
No CommentsComments 0

z/VSE requirement fo...

Blog: Ingolf's z/VS...
Ingolf24 120000DRN3
Updated
0 people like thisLikes 0
CommentsComments 1

New IBM Storwize dis...

Blog: Ingolf's z/VS...
Ingolf24 120000DRN3
Updated
0 people like thisLikes 0
No CommentsComments 0

Updated IBM Security...

Blog: Ingolf's z/VS...
Ingolf24 120000DRN3
Updated
0 people like thisLikes 0
No CommentsComments 0

▼ Similar Ideas

Importance of settin...

Ideation Blog: IBM PureData-...
DeepashriKrishnaraja 270001C7Y3
Updated
Votes 2 CommentsComments 5

▼ Archive

  • December 2012
  • July 2012
  • June 2012
  • May 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • December 2011
  • November 2011
  • October 2011
  • September 2011
  • August 2011
  • July 2011
  • June 2011
  • May 2011
  • April 2011
  • March 2011
  • February 2011
  • January 2011
  • December 2010
  • November 2010
  • October 2010
  • September 2010
  • August 2010
  • July 2010
  • June 2010
  • May 2010

▼ Blog Authors

Anthony's Blog: Using System Storage - An Aussie Storage Blog

View All Entries
Clicking the button causes a full page refresh. The user could go to the "Entry list" region to view the new content.) Entry list

Locking the door and throwing away the key!

anthonyv 2000004B9K | | Tags:  usb svc v7000 password superuser storwize key ‎ | 16,515 Views

Many years ago I picked up a book that literally blew my mind.  It was the Cuckoo's Egg by Clifford Stoll and it's a genuine classic, a true tale of hackers and how one was tracked down in the very early days of the internet.

Now the story is about events in 1986, so it captures the state of technology at the time (which rather dates the book), but wow, what a great story.

So why mention the book?   Well apart from the fact that it is well worth a read, the key issue that Clifford saw again and again was default passwords.   The hacker would identify a target and then try to logon using default IDs and default passwords, usually with great success.

Now I have blogged in the past about the determined (but often ignored) way that Brocade switches berate you into changing default passwords.  But pretty well all products need to do this, as they all have the same issue (and a truly problematic counter-point).   You absolutely need to do two things with every product in your data center:

  1. Change the default passwords on every device you deploy.
  2. Record what those passwords got set to (preferably using a logical or physical password safe).

Now don't laugh, but forgotten/lost passwords on data center kit (like switches) is a VERY common problem.  When I worked in the IBM Storage Support team I took calls EVERY WEEK from clients who had devices they could not logon to, for all manner of reasons.  For some, supplying them with the default passwords saved them (and condemned their employer?), but for others they needed much more detailed assistance.

My preferred solution to this challenge is to use external authentication (like LDAP) but being able to reset passwords with an external tool is also a nice option to have available.

The reason I started thinking about this is a nice tool IBM offer for the Storwize V7000 called the Initialization Tool that you can download from here.  Using this tool you can reset the password of the Superuser ID on a Storwize V7000 back to the default (passw0rd).   The tool runs on a USB key.  After requesting the tool to help you to reset the superuser password, you insert the USB key into the Storwize V7000, wait for the orange indicator light on the relevant node canister to stop blinking and the task is complete.  Then put the USB key back into your laptop and run the init tool again to get a completion report that should look like this:

This is great to rescue customers who have lost their passwords, but the question then gets raised:  Can I block this?

My first response is: if you are concerned about unauthorized people with malicious intent placing USB keys into your Storwize V7000, then don't let them into your computer room (presuming you can spot them by the colour of the hat they are wearing).  If that is not an option, lock the rack that the Storwize V7000 resides in (change control does have its benefits).   If that is not an option, there is one more alternative, but it is a tad extreme.

What we can do is prevent password reset via USB key (or in the case of the SVC, via the front panel).  We do this by issuing the following CLI command:   setpwdreset -disable

In the following example, I confirm that password reset is possible (value 1), I then disable it and confirm that password reset is no longer possible (value 0).   If curious I could then get some help on that command:

anthonyv@10.1.60.71's password:
 IBM_2076:StorwizeV7000_324:anthonyv>setpwdreset -show
 Password status: [1]
 IBM_2076:StorwizeV7000_324:anthonyv>setpwdreset -disable
 IBM_2076:StorwizeV7000_324:anthonyv>setpwdreset -show
 Password status: [0] IBM_2076:StorwizeV7000_324:anthonyv>setpwdreset -h

I then try to reset the password with the USB key, but I get a very different message when I run the init-tool after moving the USB key back to my laptop:

If I then change my mind, I can enable password reset via this command:

IBM_2076:StorwizeV7000_324:anthonyv>setpwdreset -enable

So do I recommend you do this on your machine?

Only if your paranoia is matched by your attention to detail.

My reason to hesitate recommending it is simple:  If you prevent password reset and then forget your password (and have no other local Security Administrator accounts), you have locked the door and thrown away the key.    Far better to physically lock the rack.   

In the end though, your company needs to set a policy that is actively enforced (with no exceptions).   So get to it.

  • Add a Comment Add a Comment
  • Edit
  • More Actions v
  • Quarantine this Entry
Notify Other People
notification

Send Email Notification

+

Quarantine this entry

deleteEntry
duplicateEntry

Mark as Duplicate

  • Previous Entry
  • Main
  • Next Entry
Feed for Blog Entries | Feed for Blog Comments | Feed for Comments for this Entry