[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Automatic root password setting

On Thursday 07 October 2004 12:08, Free Ekanayaka wrote:
>   PM> I was going to submit a bug against passwd for this so it doesn't get
>   PM> lost in the wash.
> Did you?

Not at that point, but I have now.  Its bug 275343

>   PM> An alternative solution is to have a key passwd/root-hash
> Seems reasonable to me.

We'll see what the Powers That Be have to say.

[having the same user and root p/w]
>   PM> AFAIK, there is no restriction on what you choose for your passwords,
>   PM> although having the same password for user and root accounts is a Bad
>   PM> Idea.
> I'm talking about personal workstation.. I admit  that I always did it
> for my personal  machines. Although it doesn't  sound too good I don't
> see exactly where it could hurt.

Its generally bad idea to use the same information in different context.  In 
this case, its a risk of privilege escalation.

Let's say a cracker breaks into your a/c (via the Mozilla JPEG vulnerability, 
for example) and phones home (via crafted DNS request, say).  It also aliases 
xscreensaver, ssh, ... to trojan ones that logs passwords.  If any of those 
harvested passwords also happen to be the same as the root pw...



Attachment: pgpTwCZrDHK7E.pgp
Description: PGP signature

Reply to: