Re: [Patch] Assign password (encrypted) from boot parameters
I don't know enough about security to comment on the implementation,
but I would really like to see this functionality become a feature.
Cheers, Michael
On Fri, Oct 3, 2008 at 2:48 AM, Steven Shiau <steven@nchc.org.tw> wrote:
> Bob,
> Definitely.
> However, this is just an option. Especially when you want to do some remote
> rescue action. Give an Debian live iso and ask the guy to download it, burn
> it, boot it, and it's ready there.
> My 2 cents.
>
> Regards,
> Steven.
>
> bob wrote:
>>
>> On Thu, Oct 02, 2008 at 11:47:51PM +0800, Steven Shiau wrote:
>>>
>>> Hi,
>>> I modified live-initramfs so that we can assign password (encrypted) for
>>> the default account "user" in boot parameters.
>>> I am not sure this is a good idea or not, but I found it's really useful
>>> when you want to put a remote machine with ssh service on.
>>> To use it:
>>> 1. echo "YOUR_PASSWORD" | mkpasswd -s
>>> say, it shows "1zShsShaiZumc"
>>> 2. put "usercrypted=1zShsShaiZumc" in boot parameters.
>>>
>> The boot parameters are visible to all users. Would the system be
>> vulnerable to another user seeing this parameter and running something like
>> John the ripper?
>>>
>>> Then after the machine is booted, the password of default user becomes
>>> "YOUR_PASSWORD"
>>>
>>>
>>> Hope this helps.
>>> My 2 cents.
>>>
>>> Regards,
>>> Steven.
>>>
>>> --
>>> Steven Shiau <steven _at_ nchc org tw> <steven _at_ stevenshiau org>
>>> National Center for High-performance Computing, Taiwan.
>>> http://www.nchc.org.tw
>>> Public Key Server PGP Key ID: 1024D/9762755A
>>> Fingerprint: A2A1 08B7 C22C 3D06 34DB F4BC 08B3 E3D7 9762 755A
>>>
>>>
>>
>>> diff --unified --recursive --new-file live-initramfs-1.139.1/scripts/live
>>> live-initramfs-1.139.1-new/scripts/live
>>> --- live-initramfs-1.139.1/scripts/live 2008-10-02 23:09:31.000000000
>>> +0800
>>> +++ live-initramfs-1.139.1-new/scripts/live 2008-10-02
>>> 23:05:07.000000000 +0800
>>> @@ -98,6 +98,12 @@
>>> export USERNAME LIVECONF
>>> ;;
>>> + usercrypted=*)
>>> + USERCRYPTED="${ARGUMENT#usercrypted=}"
>>> + LIVECONF="changed"
>>> + export USERCRYPTED LIVECONF
>>> + ;;
>>> +
>>> userfullname=*)
>>> USERFULLNAME="${ARGUMENT#userfullname=}"
>>> LIVECONF="changed"
>>> diff --unified --recursive --new-file
>>> live-initramfs-1.139.1/scripts/live-bottom/10adduser
>>> live-initramfs-1.139.1-new/scripts/live-bottom/10adduser
>>> --- live-initramfs-1.139.1/scripts/live-bottom/10adduser
>>> 2008-10-02 23:09:31.000000000 +0800
>>> +++ live-initramfs-1.139.1-new/scripts/live-bottom/10adduser
>>> 2008-10-02 23:05:50.000000000 +0800
>>> @@ -31,7 +31,12 @@
>>> # live-initramfs script
>>> -user_crypted="8Ab05sVQ4LLps" # as in $(echo "live" | mkpasswd -s)
>>> +if [ -z "${USERCRYPTED}" ]
>>> +then
>>> + user_crypted="8Ab05sVQ4LLps" # as in $(echo "live" | mkpasswd -s)
>>> +else
>>> + user_crypted="${USERCRYPTED}"
>>> +fi
>>> # U6aMy0wojraho is just a blank password
>>> chroot /root debconf-communicate -fnoninteractive live-initramfs >
>>> /dev/null << EOF
>>
>>
>
> --
> Steven Shiau <steven _at_ nchc org tw> <steven _at_ stevenshiau org>
> National Center for High-performance Computing, Taiwan.
> http://www.nchc.org.tw
> Public Key Server PGP Key ID: 1024D/9762755A
> Fingerprint: A2A1 08B7 C22C 3D06 34DB F4BC 08B3 E3D7 9762 755A
>
>
> --
> To UNSUBSCRIBE, email to debian-live-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
Reply to: