Locking the door and throwing away the key!

Many years ago I picked up a book that literally blew my mind.  It was the Cuckoo’s Egg by Clifford Stoll and it’s a genuine classic, a true tale of hackers and how one was tracked down in the very early days of the internet.

Now the story is about events in 1986, so it captures the state of technology at the time (which rather dates the book), but wow, what a great story.

So why mention the book?   Well apart from the fact that it is well worth a read, the key issue that Clifford saw again and again was default passwords.   The hacker would identify a target and then try to logon using default IDs and default passwords, usually with great success.

Now I have blogged in the past about the determined (but often ignored) way that Brocade switches berate you into changing default passwords.  But pretty well all products need to do this, as they all have the same issue (and a truly problematic counter-point).   You absolutely need to do two things with every product in your data center:

  1. Change the default passwords on every device you deploy.
  2. Record what those passwords got set to (preferably using a logical or physical password safe).

Now don’t laugh, but forgotten/lost passwords on data center kit (like switches) is a VERY common problem.  When I worked in the IBM Storage Support team I took calls EVERY WEEK from clients who had devices they could not logon to, for all manner of reasons.  For some, supplying them with the default passwords saved them (and condemned their employer?), but for others they needed much more detailed assistance.

My preferred solution to this challenge is to use external authentication (like LDAP) but being able to reset passwords with an external tool is also a nice option to have available.

The reason I started thinking about this is a nice tool IBM offer for the Storwize V7000 called the Initialization Tool that you can download from here.  Using this tool you can reset the password of the Superuser ID on a Storwize V7000 back to the default (passw0rd).   The tool runs on a USB key.  After requesting the tool to help you to reset the superuser password, you insert the USB key into the Storwize V7000, wait for the orange indicator light on the relevant node canister to stop blinking and the task is complete.  Then put the USB key back into your laptop and run the init tool again to get a completion report that should look like this:

This is great to rescue customers who have lost their passwords, but the question then gets raised:  Can I block this?

My first response is: if you are concerned about unauthorized people with malicious intent placing USB keys into your Storwize V7000, then don’t let them into your computer room (presuming you can spot them by the colour of the hat they are wearing).  If that is not an option, lock the rack that the Storwize V7000 resides in (change control does have its benefits).   If that is not an option, there is one more alternative, but it is a tad extreme.

What we can do is prevent password reset via USB key (or in the case of the SVC, via the front panel).  We do this by issuing the following CLI command:   setpwdreset -disable

In the following example, I confirm that password reset is possible (value 1), I then disable it and confirm that password reset is no longer possible (value 0).   If curious I could then get some help on that command:

anthonyv@'s password:
 IBM_2076:StorwizeV7000_324:anthonyv>setpwdreset -show
 Password status: [1]
 IBM_2076:StorwizeV7000_324:anthonyv>setpwdreset -disable
 IBM_2076:StorwizeV7000_324:anthonyv>setpwdreset -show
 Password status: [0] IBM_2076:StorwizeV7000_324:anthonyv>setpwdreset -h

I then try to reset the password with the USB key, but I get a very different message when I run the init-tool after moving the USB key back to my laptop:

If I then change my mind, I can enable password reset via this command:

IBM_2076:StorwizeV7000_324:anthonyv>setpwdreset -enable

So do I recommend you do this on your machine?

Only if your paranoia is matched by your attention to detail.

My reason to hesitate recommending it is simple:  If you prevent password reset and then forget your password (and have no other local Security Administrator accounts), you have locked the door and thrown away the key.    Far better to physically lock the rack.

In the end though, your company needs to set a policy that is actively enforced (with no exceptions).   So get to it…


About Anthony Vandewerdt

I am an IT Professional who lives and works in Melbourne Australia. This blog is totally my own work. It does not represent the views of any corporation. Constructive and useful comments are very very welcome.
This entry was posted in IBM Storage, Storwize V7000, SVC and tagged , , , , , , , . Bookmark the permalink.

5 Responses to Locking the door and throwing away the key!

  1. Pingback: Locking the door and throwing away the key! « Storage CH Blog

  2. Sameed Shafi says:

    Preventing the password being changed from the USB does seem a tad extreme. A much bigger concern would be someone unauthorized having physical access to your machine! Oh, and I agree that one of the most common support calls are ‘forgetting passwords’!

  3. MrOdysseus says:

    Loved reading that book in College. Definitely an awesome read on tracking the cracker.. :)
    Thanks for the share!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s