I have been using suse for a bit now, having used RH previously. One feature that I seem not to see or maybe it's just not there. In RH, there was a way to recover the root password. As I am an independant consultant, I can just imagine getting to a client's site and they don't remember/know the root password. Is there a way/method to recover/reset the root password in suse? Thanks, Lyle
/ 2004-07-24 10:56:07 -0500 \ Lyle Giese:
I have been using suse for a bit now, having used RH previously. One feature that I seem not to see or maybe it's just not there.
In RH, there was a way to recover the root password. As I am an independant consultant, I can just imagine getting to a client's site and they don't remember/know the root password.
Is there a way/method to recover/reset the root password in suse?
you have a rescue disk at hand, and boot from that one... obvious solution, no? lge
That ASSUMES you have one for that version. Again, I am talking about a client's server(maybe used just as a SAMBA server for a workgroup) and I may not have done the intial install/setup. Doesn't a rescue disk need the drivers for that machine and therefore be made on that machine? This is not always possible because of a lack of total control. In RH, you could boot into single user mode and be auto connected as root without knowing the password. Lyle ----- Original Message ----- From: "Lars Ellenberg" <l.g.e@web.de> To: <suse-security@suse.com> Sent: Saturday, July 24, 2004 11:04 AM Subject: Re: [suse-security] password recovery
/ 2004-07-24 10:56:07 -0500 \ Lyle Giese:
I have been using suse for a bit now, having used RH previously. One feature that I seem not to see or maybe it's just not there.
In RH, there was a way to recover the root password. As I am an independant consultant, I can just imagine getting to a client's site and they don't remember/know the root password.
Is there a way/method to recover/reset the root password in suse?
you have a rescue disk at hand, and boot from that one... obvious solution, no?
lge
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Quoting Lyle Giese <lyle@lcrcomputer.net>:
That ASSUMES you have one for that version. Again, I am talking about a client's server(maybe used just as a SAMBA server for a workgroup) and I may not have done the intial install/setup.
Doesn't a rescue disk need the drivers for that machine and therefore be made on that machine? This is not always possible because of a lack of total control. In RH, you could boot into single user mode and be auto connected as root without knowing the password.
My favorite is Knoppix. Keep a copy on ya and you can get into any machine with a CD-ROM...
Get some version (knoppix is ok) to boot to from anything other than the hard drive. Then mount the hard drive if it is not mounted. Go to /etc edit the shadow file. There should be an entry like: root:XXX:... 'XXX' (this is some misc characters) is the encrypted password. Edit this file and remove the 'XXX'. Reboot the machine normally and you should be able to login as root without a password. As an alternative method, go to the SuSE Linux unofficial FAQ and read the following article: http://susefaq.sourceforge.net/faq/user.html Jim On Saturday 24 July 2004 11:14 am, Lyle Giese wrote:
That ASSUMES you have one for that version. Again, I am talking about a client's server(maybe used just as a SAMBA server for a workgroup) and I may not have done the intial install/setup.
Doesn't a rescue disk need the drivers for that machine and therefore be made on that machine? This is not always possible because of a lack of total control. In RH, you could boot into single user mode and be auto connected as root without knowing the password.
Lyle
----- Original Message ----- From: "Lars Ellenberg" <l.g.e@web.de> To: <suse-security@suse.com> Sent: Saturday, July 24, 2004 11:04 AM Subject: Re: [suse-security] password recovery
/ 2004-07-24 10:56:07 -0500
\ Lyle Giese:
I have been using suse for a bit now, having used RH previously. One feature that I seem not to see or maybe it's just not there.
In RH, there was a way to recover the root password. As I am an
independant
consultant, I can just imagine getting to a client's site and they don't remember/know the root password.
Is there a way/method to recover/reset the root password in suse?
you have a rescue disk at hand, and boot from that one... obvious solution, no?
lge
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Saturday 24 July 2004 08:14 am, Lyle Giese wrote:
In RH, you could boot into single user mode and be auto connected as root without knowing the password.
And you have conclusively proven that the same method will not work in SuSE? -- _____________________________________ John Andersen
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 24 July 2004 16:14, John Andersen wrote:
On Saturday 24 July 2004 08:14 am, Lyle Giese wrote:
In RH, you could boot into single user mode and be auto connected as root without knowing the password.
And you have conclusively proven that the same method will not work in SuSE?
It's been a while, but I proved it in 8.1. I had a root password get corrupted, I have no idea how, but it did. When I tried to log in single user, it wanted the root password. I used a Knopix CD, mounted my root partition, cleared the root password in shadow, and was able to get it back. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFBAtSljeziQOokQnARApO9AJ9JVqJsS/489NBwVq8v0ZtXpPyvWACgif/R m/kVaqiSYygvD8UcUqbz9IQ= =rhlY -----END PGP SIGNATURE-----
As was pointed out in one of the private messages to me, you have to edit inittab to allow that. And one of my points in the question, was you did not have that opportunity prior to having to do password recovery. It can be done in suse, but just not 'out of the box'. Lyle ----- Original Message ----- From: "Michael Satterwhite" <michael@weblore.com> To: "John Andersen" <jsa@pen.homeip.net>; <suse-security@suse.com> Sent: Saturday, July 24, 2004 4:29 PM Subject: Re: [suse-security] password recovery -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 24 July 2004 16:14, John Andersen wrote:
On Saturday 24 July 2004 08:14 am, Lyle Giese wrote:
In RH, you could boot into single user mode and be auto connected as root without knowing the password.
And you have conclusively proven that the same method will not work in SuSE?
It's been a while, but I proved it in 8.1. I had a root password get corrupted, I have no idea how, but it did. When I tried to log in single user, it wanted the root password. I used a Knopix CD, mounted my root partition, cleared the root password in shadow, and was able to get it back. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFBAtSljeziQOokQnARApO9AJ9JVqJsS/489NBwVq8v0ZtXpPyvWACgif/R m/kVaqiSYygvD8UcUqbz9IQ= =rhlY -----END PGP SIGNATURE----- -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 24 July 2004 17:19, Lyle Giese wrote:
As was pointed out in one of the private messages to me, you have to edit inittab to allow that. And one of my points in the question, was you did not have that opportunity prior to having to do password recovery.
It can be done in suse, but just not 'out of the box'.
To allow what? I can boot almost any machine off of Knopix. Once booted, I can mount the partition and edit shadow. I'm not sure I understand what requires editing inittab
Lyle ----- Original Message ----- From: "Michael Satterwhite" <michael@weblore.com> To: "John Andersen" <jsa@pen.homeip.net>; <suse-security@suse.com> Sent: Saturday, July 24, 2004 4:29 PM Subject: Re: [suse-security] password recovery
On Saturday 24 July 2004 16:14, John Andersen wrote:
On Saturday 24 July 2004 08:14 am, Lyle Giese wrote:
In RH, you could boot into single user mode and be auto connected as root without knowing the password.
And you have conclusively proven that the same method will not work in SuSE?
It's been a while, but I proved it in 8.1. I had a root password get corrupted, I have no idea how, but it did. When I tried to log in single user, it wanted the root password. I used a Knopix CD, mounted my root partition, cleared the root password in shadow, and was able to get it back.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFBAuXwjeziQOokQnARArQRAKCSNktdluW7fM2pRXW1NjPHkVvoiQCgig2K bAJ+Gv8HkMGA2xXogtFoTlE= =uZJP -----END PGP SIGNATURE-----
On Saturday 24 July 2004 23.29, Michael Satterwhite wrote:
On Saturday 24 July 2004 16:14, John Andersen wrote:
On Saturday 24 July 2004 08:14 am, Lyle Giese wrote:
In RH, you could boot into single user mode and be auto connected as root without knowing the password.
And you have conclusively proven that the same method will not work in SuSE?
It's been a while, but I proved it in 8.1. I had a root password get corrupted, I have no idea how, but it did. When I tried to log in single user, it wanted the root password. I used a Knopix CD, mounted my root partition, cleared the root password in shadow, and was able to get it back.
Or you could 1. boot via the CD/floppys 2. mount the / (rw) (ie. mount /dev/whatever /mnt ) 3. chroot to the mounted / (chroot /mnt /bin/bash ) 4. issue passwd to change it (passwd) Its a "roundabout way" derived from installing Gentoo systems... -- /Rikard ------------------------------------------------------------------------------------ Rikard Johnels email : rikjoh@norweb.se Web : http://www.rikjoh.com Mob : +46 735 05 51 01 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
And what if the filesystem is encrypted? Best regards, Antun Balaz Institute of Physics, Belgrade Serbia and Montenegro On Sun, 25 Jul 2004, Rikard Johnels wrote:
On Saturday 24 July 2004 23.29, Michael Satterwhite wrote:
On Saturday 24 July 2004 16:14, John Andersen wrote:
On Saturday 24 July 2004 08:14 am, Lyle Giese wrote:
In RH, you could boot into single user mode and be auto connected as root without knowing the password.
And you have conclusively proven that the same method will not work in SuSE?
It's been a while, but I proved it in 8.1. I had a root password get corrupted, I have no idea how, but it did. When I tried to log in single user, it wanted the root password. I used a Knopix CD, mounted my root partition, cleared the root password in shadow, and was able to get it back.
Or you could 1. boot via the CD/floppys 2. mount the / (rw) (ie. mount /dev/whatever /mnt ) 3. chroot to the mounted / (chroot /mnt /bin/bash ) 4. issue passwd to change it (passwd)
Its a "roundabout way" derived from installing Gentoo systems...
-- /Rikard
------------------------------------------------------------------------------------ Rikard Johnels email : rikjoh@norweb.se Web : http://www.rikjoh.com Mob : +46 735 05 51 01
------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Sunday 25 July 2004 18.44, Antun Balaz wrote:
And what if the filesystem is encrypted?
Best regards,
Antun Balaz Institute of Physics, Belgrade Serbia and Montenegro
On Sun, 25 Jul 2004, Rikard Johnels wrote:
On Saturday 24 July 2004 23.29, Michael Satterwhite wrote:
On Saturday 24 July 2004 16:14, John Andersen wrote:
On Saturday 24 July 2004 08:14 am, Lyle Giese wrote:
In RH, you could boot into single user mode and be auto connected as root without knowing the password.
And you have conclusively proven that the same method will not work in SuSE?
It's been a while, but I proved it in 8.1. I had a root password get corrupted, I have no idea how, but it did. When I tried to log in single user, it wanted the root password. I used a Knopix CD, mounted my root partition, cleared the root password in shadow, and was able to get it back.
Or you could 1. boot via the CD/floppys 2. mount the / (rw) (ie. mount /dev/whatever /mnt ) 3. chroot to the mounted / (chroot /mnt /bin/bash ) 4. issue passwd to change it (passwd)
Its a "roundabout way" derived from installing Gentoo systems...
-- /Rikard
------------------------------------------------------------------------- ----------- Rikard Johnels email : rikjoh@norweb.se Web : http://www.rikjoh.com Mob : +46 735 05 51 01
------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Mount it the usual way for encrypted systems. I dont use it so i cant tell you how. The actual filesystem isnt relevant. As long as you can access it ok. Just mount it rw and chroot into it. -- /Rikard ------------------------------------------------------------------------------------ Rikard Johnels email : rikjoh@norweb.se Web : http://www.rikjoh.com Mob : +46 735 05 51 01 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
Hi * Rikard Johnels schrieb:
On Sunday 25 July 2004 18.44, Antun Balaz wrote:
And what if the filesystem is encrypted?
-----------8<------------
Mount it the usual way for encrypted systems. I dont use it so i cant tell you how. The actual filesystem isnt relevant. As long as you can access it ok. Just mount it rw and chroot into it.
But if the FS is encrypted with the root-PW you`ve got _real_ trouble. S(really)CNR Dirk -- TRIA IT-consulting GmbH Joseph-Wild-Stra?e 20 81829 Munchen Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de -------------------------------------------------------- working hard | for your success -------------------------------------------------------- Registergericht Munchen HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschaftsfuhrer: Hubertus Wagenhauser -------------------------------------------------------- Nachricht von: dirk.schreiner@tria.de Nachricht an: rikjoh@norweb.se, suse-security@suse.com # Dateianhange: 0 Die Mitteilung dieser E-Mail ist vertraulich und nur fur den oben genannten Empfanger bestimmt. Wenn Sie nicht der vorgesehene Empfanger dieser E-Mail oder mit der Aushandigung an ihn betraut sind, weisen wir darauf hin, da? jede Form der Kenntnisnahme, Veroffentlichung, Vervielfaltigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you
On Sunday 25 July 2004 22.35, Dirk Schreiner wrote:
Hi *
Rikard Johnels schrieb:
On Sunday 25 July 2004 18.44, Antun Balaz wrote:
And what if the filesystem is encrypted?
-----------8<------------
Mount it the usual way for encrypted systems. I dont use it so i cant tell you how. The actual filesystem isnt relevant. As long as you can access it ok. Just mount it rw and chroot into it.
But if the FS is encrypted with the root-PW you`ve got _real_ trouble.
S(really)CNR
Dirk
--
TRIA IT-consulting GmbH Joseph-Wild-Stra?e 20 81829 Munchen Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de --------------------------------------------------------
working hard | for your success
--------------------------------------------------------
Registergericht Munchen HRB 113466
USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600
Geschaftsfuhrer: Hubertus Wagenhauser
-------------------------------------------------------- Nachricht von: dirk.schreiner@tria.de
Nachricht an: rikjoh@norweb.se, suse-security@suse.com
# Dateianhange: 0 Die Mitteilung dieser E-Mail ist vertraulich und nur fur den oben genannten Empfanger bestimmt. Wenn Sie nicht der vorgesehene Empfanger dieser E-Mail oder mit der Aushandigung an ihn betraut sind, weisen wir darauf hin, da? jede Form der Kenntnisnahme, Veroffentlichung, Vervielfaltigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you
Correct me if I'm wrong but I'd say "In that case you are cooked!!" Not that i know much of encrypted FS's, but id say you are pretty lost by then. Unless you can brutecrack the encryption with some forensics software... -- /Rikard ------------------------------------------------------------------------------------ Rikard Johnels email : rikjoh@norweb.se Web : http://www.rikjoh.com Mob : +46 735 05 51 01 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
On Sunday 25 July 2004 18.44, Antun Balaz wrote:
And what if the filesystem is encrypted?
-----------8<------------
Mount it the usual way for encrypted systems. I dont use it so i cant tell you how. The actual filesystem isnt relevant. As long as you can access it ok. Just mount it rw and chroot into it.
But if the FS is encrypted with the root-PW you`ve got _real_ trouble.
Correct me if I'm wrong but I'd say "In that case you are cooked!!"
Not that i know much of encrypted FS's, but id say you are pretty lost by then. Unless you can brutecrack the encryption with some forensics software...
Start looking for post-it notes near the console.... Tom.
On Monday 26 July 2004 11.01, Tom Knight wrote:
On Sunday 25 July 2004 18.44, Antun Balaz wrote:
And what if the filesystem is encrypted?
-----------8<------------
Mount it the usual way for encrypted systems. I dont use it so i cant tell you how. The actual filesystem isnt relevant. As long as you can access it ok. Just mount it rw and chroot into it.
But if the FS is encrypted with the root-PW you`ve got _real_ trouble.
Correct me if I'm wrong but I'd say "In that case you are cooked!!"
Not that i know much of encrypted FS's, but id say you are pretty lost by then. Unless you can brutecrack the encryption with some forensics software...
Start looking for post-it notes near the console....
Tom.
LOL! Well unfortunately that IS a relevant observation... (Been there, done that, trashed the user badly for compromising the security) But all jokes aside. If you DON'T know the password for the encryption, i think you are lost... -- /Rikard ------------------------------------------------------------------------------------ Rikard Johnels email : rikjoh@norweb.se Web : http://www.rikjoh.com Mob : +46 735 05 51 01 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
On Jul 26, 2004, at 12:58 PM, Rikard Johnels wrote:
On Monday 26 July 2004 11.01, Tom Knight wrote:
On Sunday 25 July 2004 18.44, Antun Balaz wrote:
And what if the filesystem is encrypted?
-----------8<------------
Mount it the usual way for encrypted systems. I dont use it so i cant tell you how. The actual filesystem isnt relevant. As long as you can access it ok. Just mount it rw and chroot into it.
But if the FS is encrypted with the root-PW you`ve got _real_ trouble.
Correct me if I'm wrong but I'd say "In that case you are cooked!!"
Not that i know much of encrypted FS's, but id say you are pretty lost by then. Unless you can brutecrack the encryption with some forensics software...
Start looking for post-it notes near the console....
Tom.
LOL! Well unfortunately that IS a relevant observation... (Been there, done that, trashed the user badly for compromising the security) But all jokes aside. If you DON'T know the password for the encryption, i think you are lost...
Well, that's the idea of encryption, isn't it? There might however be a chance to find the encryption key on the swap partition. I haven't looked at the code if it is really impossible that the relevant pages get swapped out. But, just to reiterate what has been said earlier: if the root partition is not encrypted, you can always boot with init=/bin/sh and do whatever you want. inittab doesn't matter because /bin/sh is not known to read that file, and it doesn't ask for any password either. ;-) Regards, Roland -- TU Muenchen, Physik-Department E18, James-Franck-Str. 85747 Garching Telefon 089/289-12592; Telefax 089/289-12570 -- A mouse is a device used to point at the xterm you want to type in. Kim Alm on a.s.r.
And what if I use LVM? how do I mount root manually? -- Abidis Solano Nova http://www.minuevaweb.com
On Jul 26, 2004, at 12:58 PM, Rikard Johnels wrote:
On Monday 26 July 2004 11.01, Tom Knight wrote:
On Sunday 25 July 2004 18.44, Antun Balaz wrote: > And what if the filesystem is encrypted?
-----------8<------------
Mount it the usual way for encrypted systems. I dont use it so i cant tell you how. The actual filesystem isnt relevant. As long as you can access it ok. Just mount it rw and chroot into it.
But if the FS is encrypted with the root-PW you`ve got _real_ trouble.
Correct me if I'm wrong but I'd say "In that case you are cooked!!"
Not that i know much of encrypted FS's, but id say you are pretty lost by then. Unless you can brutecrack the encryption with some forensics software...
Start looking for post-it notes near the console....
Tom.
LOL! Well unfortunately that IS a relevant observation... (Been there, done that, trashed the user badly for compromising the security) But all jokes aside. If you DON'T know the password for the encryption, i think you are lost...
Well, that's the idea of encryption, isn't it? There might however be a chance to find the encryption key on the swap partition. I haven't looked at the code if it is really impossible that the relevant pages get swapped out.
But, just to reiterate what has been said earlier: if the root partition is not encrypted, you can always boot with init=/bin/sh and do whatever you want. inittab doesn't matter because /bin/sh is not known to read that file, and it doesn't ask for any password either. ;-)
Regards, Roland
-- TU Muenchen, Physik-Department E18, James-Franck-Str. 85747 Garching Telefon 089/289-12592; Telefax 089/289-12570 -- A mouse is a device used to point at the xterm you want to type in. Kim Alm on a.s.r.
And what if I use LVM? how do I mount root manually?
it has been mentioned several times: at the (grub,lilo,whatever) boot promt, you can say init=/bin/bash (or sash, or whatever). you then only need to mount -o remount,rw /; passwd ; mount -o remount,ro ; reboot -f so what?
-----Original Message----- From: Lars Ellenberg [mailto:l.g.e@web.de] Sent: 26 July 2004 18:59 To: suse-security@suse.com Subject: Re: [suse-security] password recovery
And what if I use LVM? how do I mount root manually?
it has been mentioned several times: at the (grub,lilo,whatever) boot promt, you can say init=/bin/bash (or sash, or whatever). you then only need to mount -o remount,rw /; passwd ; mount -o remount,ro ; reboot -f so what?
If the root partition is in LVM then you'll also need to run the LVM commands (pvscan etc, can't remember, I'll look at my notes in the morning) to see this partition. This is the main reason I use: /dev/sda1 /boot ext2 /dev/sda2 swap /dev/sda3 / reiserfs /dev/sda4 extended partition /dev/sda5 LVM partition Makes /boot and / trivial to access, assuming I have a boot disk with the megaraid2 driver available. Tom.
/ 2004-07-26 22:48:04 +0100 \ Tom Knight:
-----Original Message----- From: Lars Ellenberg [mailto:l.g.e@web.de] Sent: 26 July 2004 18:59 To: suse-security@suse.com Subject: Re: [suse-security] password recovery
And what if I use LVM? how do I mount root manually?
it has been mentioned several times: at the (grub,lilo,whatever) boot promt, you can say init=/bin/bash (or sash, or whatever). you then only need to mount -o remount,rw /; passwd ; mount -o remount,ro ; reboot -f so what?
If the root partition is in LVM then you'll also need to run the LVM commands (pvscan etc, can't remember, I'll look at my notes in the morning)
(it would be /sbin/vgscan ; /sbin/vgchange -a y ... but see below )
to see this partition. This is the main reason I use: /dev/sda1 /boot ext2 /dev/sda2 swap /dev/sda3 / reiserfs /dev/sda4 extended partition /dev/sda5 LVM partition
Makes /boot and / trivial to access, assuming I have a boot disk with the megaraid2 driver available.
which I do, too. But: if / is on LVM (or something other special), this has to be done by the initrd, anyways. which is done before init starts. so root is accessible, before $program is started, regardless what you gave as init=$program parameter. lge
Hi, Roland Kuhn schrieb:
On Jul 26, 2004, at 12:58 PM, Rikard Johnels wrote:
On Monday 26 July 2004 11.01, Tom Knight wrote:
On Sunday 25 July 2004 18.44, Antun Balaz wrote:
> And what if the filesystem is encrypted?
-----------8<------------
Mount it the usual way for encrypted systems. I dont use it so i cant tell you how. The actual filesystem isnt relevant. As long as you can access it ok. Just mount it rw and chroot into it.
But if the FS is encrypted with the root-PW you`ve got _real_ trouble.
Correct me if I'm wrong but I'd say "In that case you are cooked!!"
Not that i know much of encrypted FS's, but id say you are pretty lost by then. Unless you can brutecrack the encryption with some forensics software...
Start looking for post-it notes near the console....
Tom.
LOL! Well unfortunately that IS a relevant observation... (Been there, done that, trashed the user badly for compromising the security) But all jokes aside. If you DON'T know the password for the encryption, i think you are lost...
Well, that's the idea of encryption, isn't it? There might however be a chance to find the encryption key on the swap partition. I haven't looked at the code if it is really impossible that the relevant pages get swapped out.
But, just to reiterate what has been said earlier: if the root partition is not encrypted, you can always boot with init=/bin/sh and do whatever you want. inittab doesn't matter because /bin/sh is not known to read that file, and it doesn't ask for any password either. ;-)
Regards, Roland
And just to mention, cause (i guess) it was never said in this thread. You can secure this by giving the boot-loader a Password, giving the Bios a Password, and configure Bios to only boot from Harddisk. If you want. Dirk -- TRIA IT-consulting GmbH Joseph-Wild-Stra?e 20 81829 Munchen Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de -------------------------------------------------------- working hard | for your success -------------------------------------------------------- Registergericht Munchen HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschaftsfuhrer: Hubertus Wagenhauser -------------------------------------------------------- Nachricht von: dirk.schreiner@tria.de Nachricht an: suse-security@suse.com # Dateianhange: 0 Die Mitteilung dieser E-Mail ist vertraulich und nur fur den oben genannten Empfanger bestimmt. Wenn Sie nicht der vorgesehene Empfanger dieser E-Mail oder mit der Aushandigung an ihn betraut sind, weisen wir darauf hin, da? jede Form der Kenntnisnahme, Veroffentlichung, Vervielfaltigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you
Hi Dirk, On Fri, 2004-07-30 at 14:44, Dirk Schreiner wrote:
And just to mention, cause (i guess) it was never said in this thread.
You can secure this by giving the boot-loader a Password, giving the Bios a Password, and configure Bios to only boot from Harddisk.
But you have also to mention this: Bios can be easily reset and boot-loader-password does not protect you from booting off a rescue-cd. In any case - as long as the data on the disk are not encrypted and a person, who wants to get to your data, has physical access to the machine - then you're screwed. Greetings, Ralf
Hi Ralf, i totally agree, if you have the Notebook of the Road-Warrior in mind. In this case you schould not forget to configure unmounting of the encrypted FS when going into screen-loc or sleeping Mode. And use a well configured faillog. Do not use chipcard-encryption _without_ a good choosen passphrase, cause they mostly will be stolen with the Notebook. I had public accesss Terminals like those in a Internet-Cafe in mind. And in this Case Bios-Reset will be hard due to big welded locks. ;-)) Have a nice weekend Dirk Ralf Ronneburger schrieb:
Hi Dirk,
On Fri, 2004-07-30 at 14:44, Dirk Schreiner wrote:
And just to mention, cause (i guess) it was never said in this thread.
You can secure this by giving the boot-loader a Password, giving the Bios a Password, and configure Bios to only boot from Harddisk.
But you have also to mention this: Bios can be easily reset and boot-loader-password does not protect you from booting off a rescue-cd. In any case - as long as the data on the disk are not encrypted and a person, who wants to get to your data, has physical access to the machine - then you're screwed.
Greetings,
Ralf
-- TRIA IT-consulting GmbH Joseph-Wild-Stra?e 20 81829 Munchen Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de -------------------------------------------------------- working hard | for your success -------------------------------------------------------- Registergericht Munchen HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschaftsfuhrer: Hubertus Wagenhauser -------------------------------------------------------- Nachricht von: dirk.schreiner@tria.de Nachricht an: suse-security@suse.com # Dateianhange: 0 Die Mitteilung dieser E-Mail ist vertraulich und nur fur den oben genannten Empfanger bestimmt. Wenn Sie nicht der vorgesehene Empfanger dieser E-Mail oder mit der Aushandigung an ihn betraut sind, weisen wir darauf hin, da? jede Form der Kenntnisnahme, Veroffentlichung, Vervielfaltigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you
On Sunday 01 August 2004 19:31, Dirk Schreiner wrote:
Hi Ralf,
i totally agree, if you have the Notebook of the Road-Warrior in mind. In this case you schould not forget to configure unmounting of the encrypted FS when going into screen-loc or sleeping Mode.
Hm. That sounds like overly paranoid. And in any case, how do you suppose one would go about umounting my encrypted /home partition when going into screen-lock mode ? You can't, unless you log out completely, which really defeats the whole purpose of locking the screen in the first place... Maarten -- Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER
Quoting maarten van den Berg <maarten@vbvb.nl>:
On Sunday 01 August 2004 19:31, Dirk Schreiner wrote:
Hi Ralf,
i totally agree, if you have the Notebook of the Road-Warrior in mind. In this case you schould not forget to configure unmounting of the encrypted FS when going into screen-loc or sleeping Mode.
Hm. That sounds like overly paranoid. And in any case, how do you suppose one would go about umounting my encrypted /home partition when going into screen-lock mode ? You can't, unless you log out completely, which really defeats the whole purpose of locking the screen in the first place...
I don't believe such a step is necessary. You can break the screenlock with Ctrl-Alt-Backspace, but then you're at the X login, still needing a password. If the attacker shuts off or reboots the machine, then the encrypted area is unmounted :-)
On Monday 02 August 2004 00:10, suse@rio.vg wrote:
Quoting maarten van den Berg <maarten@vbvb.nl>:
On Sunday 01 August 2004 19:31, Dirk Schreiner wrote:
Hi Ralf,
i totally agree, if you have the Notebook of the Road-Warrior in mind. In this case you schould not forget to configure unmounting of the encrypted FS when going into screen-loc or sleeping Mode.
Hm. That sounds like overly paranoid. And in any case, how do you suppose one would go about umounting my encrypted /home partition when going into screen-lock mode ? You can't, unless you log out completely, which really defeats the whole purpose of locking the screen in the first place...
I don't believe such a step is necessary. You can break the screenlock with Ctrl-Alt-Backspace, but then you're at the X login, still needing a password. If the attacker shuts off or reboots the machine, then the encrypted area is unmounted :-)
Exactly my point. :-) Until someone finds a bug in the locking mechanism, I believe we're quite safe just locking, without umounting the encrypted FS. Maarten -- Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER
On Mon, 2 Aug 2004 00:54:17 +0200 maarten van den Berg <maarten@vbvb.nl> wrote:
On Monday 02 August 2004 00:10, suse@rio.vg wrote:
Quoting maarten van den Berg <maarten@vbvb.nl>:
On Sunday 01 August 2004 19:31, Dirk Schreiner wrote:
Hi Ralf,
i totally agree, if you have the Notebook of the Road-Warrior in mind. In this case you schould not forget to configure unmounting of the encrypted FS when going into screen-loc or sleeping Mode.
Hm. That sounds like overly paranoid. And in any case, how do you suppose one would go about umounting my encrypted /home partition when going into screen-lock mode ? You can't, unless you log out completely, which really defeats the whole purpose of locking the screen in the first place...
I don't believe such a step is necessary. You can break the screenlock with Ctrl-Alt-Backspace, but then you're at the X login, still needing a password. If the attacker shuts off or reboots the machine, then the encrypted area is unmounted :-)
Exactly my point. :-) Until someone finds a bug in the locking mechanism, I believe we're quite safe just locking, without umounting the encrypted FS.
Maarten
-- Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Until a Social Engineer walks in and reboots the machine with a bottable CD and grabs all the information they could ever want?
Quoting Allen/Gore/SlackWareWolf <goreBOFH@comcast.net>:
On Mon, 2 Aug 2004 00:54:17 +0200 maarten van den Berg <maarten@vbvb.nl> wrote:
On Monday 02 August 2004 00:10, suse@rio.vg wrote:
Quoting maarten van den Berg <maarten@vbvb.nl>:
On Sunday 01 August 2004 19:31, Dirk Schreiner wrote:
Hi Ralf,
i totally agree, if you have the Notebook of the Road-Warrior in mind. In this case you schould not forget to configure unmounting of the encrypted FS when going into screen-loc or sleeping Mode.
Hm. That sounds like overly paranoid. And in any case, how do you suppose one would go about umounting my encrypted /home partition when going into screen-lock mode ? You can't, unless you log out completely, which really defeats the whole purpose of locking the screen in the first place...
I don't believe such a step is necessary. You can break the screenlock with Ctrl-Alt-Backspace, but then you're at the X login, still needing a password. If the attacker shuts off or reboots the machine, then the encrypted area is unmounted :-)
Exactly my point. :-) Until someone finds a bug in the locking mechanism, I believe we're quite safe just locking, without umounting the encrypted FS.
Until a Social Engineer walks in and reboots the machine with a bottable CD and grabs all the information they could ever want?
You apparently didn't read the beginning of this thread. We're talking about a system with an ENCRYPTED FILESYSTEM. You'd have to be a REALLY good social engineer to have the CD-Booted system to yourself for the next few years while it runs it's brute-force cracker... :-)
On Saturday 24 July 2004 17:56, Lyle Giese wrote:
I have been using suse for a bit now, having used RH previously. One feature that I seem not to see or maybe it's just not there.
In RH, there was a way to recover the root password. As I am an independant consultant, I can just imagine getting to a client's site and they don't remember/know the root password.
Is there a way/method to recover/reset the root password in suse?
Thanks, Lyle
this method is available for a linux distros: at boot menu (if grub/lilo press esc) type: linux init=/bin/bash after starting the system. # mount -o remount,rw / # passwd root # mount -o remount,ro / reboot. Josephine
Simple use boot media that has drivers for the disk and the console (i.e. anything will do). remount the / partition (which likely contains /etc) as read-write, then either remove the password with an editor from /etc/shadow or change it using "passwd", reboot and you're done. On many systems you don't even need to do that, at the lilo or grub prompt boot into single user mode and often you are dumped to a root prompt, however more rescent versions of SuSE are often setup securely to prevent this, so use a bootable disk and method #1. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ ----- Original Message ----- From: "Lyle Giese" <lyle@lcrcomputer.net> To: <suse-security@suse.com> Sent: Saturday, July 24, 2004 8:56 AM Subject: [suse-security] password recovery
I have been using suse for a bit now, having used RH previously. One feature that I seem not to see or maybe it's just not there.
In RH, there was a way to recover the root password. As I am an independant consultant, I can just imagine getting to a client's site and they don't remember/know the root password.
Is there a way/method to recover/reset the root password in suse?
Thanks, Lyle
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (17)
-
Abidis Solano -
Allen/Gore/SlackWareWolf -
Antun Balaz -
Dirk Schreiner -
James Bliss -
John Andersen -
Josephine -
Kurt Seifried -
Lars Ellenberg -
Lyle Giese -
maarten van den Berg -
Michael Satterwhite -
Ralf Ronneburger -
Rikard Johnels -
Roland Kuhn -
suse@rio.vg -
Tom Knight