FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 11-10-2008, 06:53 PM
James Gray
 
Default Trouble Logging In as Root

On 09/11/2008, at 7:31 PM, Glenn Holmer wrote:

> On Sun, 2008-11-09 at 20:39 +1100, James Gray wrote:
>> <pedantic>
>> Actually, there *IS* a password for root:
>>
>> #cat /etc/passwd /etc/shadow | grep root
>> root:x:0:0:root:/root:/bin/bash
>> root:*:13755:0:99999:7:::
>
> As long as we're being pedantic... you get the prize for "useless
> use of
> cat"
>
> grep root /etc/passwd /etc/shadow

Heheh - indeed :P What about:

awk -F: '/root/ { print "User: " $1 " Hashed Password: " $2}' /etc/
shadow

...there, that's *much* more efficient use of key strokes. lol

In my defense, I'd typed "cat /etc/passwd etc/shadow" and thought it
would be easier to explain if I stripped it down to root's account
only, so I typed "!! | grep root"...bash short-cuts rule

Peace,

James

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-11-2008, 02:45 AM
CLIFFORD ILKAY
 
Default Trouble Logging In as Root

Mark Haney wrote:
> CLIFFORD ILKAY wrote:
>
>>> Am I missing something really obvious here? How can setup my computer so
>>> that I can login as root? I have all my files backed up so if another fresh
>>> install is required that is certainly as possibility.
>> Hi,
>>
>> Ignore the advice to set a root password.
>
> Okay, I came rather late to the party but I would like to say a couple
> of things here. First and foremost. NEVER leave root without a
> password. PERIOD. This is not only probably the biggest security hole
> ever, it's just plain wrong. Root is (in the phrasing of Ric Flair)
> 'THE MAN'. It can do everything. Anyone leaving root exposed runs a
> big risk.

On Ubuntu systems, root is not exposed because it isn't enabled. From
man shadow:

"If the password field contains some string that is not valid result of
crypt(3), for instance ! or *, the user will not be able to use a unix
password to log in, subject to pam(7)."

On my systems, in /etc/shadow, I have:

root:!:14136:0:99999:7:::

That is stock K/Ubuntu. Note the exclamation mark in the password field.
It doesn't matter how many passwords an attacker tries, they're not
likely to be able to login. If I had set a password as some were
suggesting, root would have been enabled and the system would have been
*more* vulnerable, not less. On a K/Ubuntu system, a remote attacker has
to know which accounts are in the admin group and crack that account
first before being able to become root.

All bets are off if the attacker has physical access to the machine
because rebooting and starting in "recovery" mode is usually enough to
get root and failing that, one could always boot from an alternate boot
device, like a live CD, and get at whatever files are on the disk anyway.

The measures above are more relevant for remote access in which case,
you could make it tougher to break in by doing a few simple things.

1. Don't enable root.

2. Don't allow remote root logins via ssh, which is a moot point if you
don't enable root anyway.

3. Disable password logins via ssh and insist on RSA authentication.
Once you put your public key on the server, you only have to unlock your
local private key (which you must guard closely).

4. Change the port sshd listens on from the default of 22 to something
else. I know it's security through obscurity but if nothing else, it's
another hurdle, even if it is minor to a determined attacker but it
certainly cuts down considerably against the idiots who run scripted joe
job attacks.

If you do the above, in order for someone to get root on your machine,
they would have to steal your private key, figure out what the pass
phrase it to unlock it (The operative word is "phrase"!), figure out
what port your machine is listening on, get a shell on your machine and
hope that you're in the admin group. I suppose we could make even it
tougher and not allow anyone in the admin group to connect via ssh. That
way, you'd have to switch user (su) to an account in the admin group and
then use sudo to get root.

As for someone in the admin group being able to lock everyone else out,
a) you should never give someone those privileges if you don't trust
them, and b) let them change the password. I'll have root on that
machine as soon as I boot from an alternate boot device.
--
Regards,

Clifford Ilkay
Dinamis
1419-3266 Yonge St.
Toronto, ON
Canada M4N 3P6

<http://dinamis.com>
+1 416-410-3326
--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 01:39 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org