Re: Root login

To: debian-security@lists.debian.org
Subject: Re: Root login
From: Joseph Rawson <umeboshi3@gmail.com>
Date: Sat, 13 Sep 2008 00:32:56 -0500
Message-id: <[🔎] 200809130033.03607.umeboshi3@gmail.com>
In-reply-to: <[🔎] slrngcmae3.5b9.keeling@phreaque.nucleus.com>
References: <[🔎] 48BF9844.3040001@vodafone.it> <[🔎] 48C50641.9070503@gryzor.com> <[🔎] slrngcmae3.5b9.keeling@phreaque.nucleus.com>

On Friday 12 September 2008 21:47:31 s. keeling wrote:
> Vincent Deffontaines <vincent@gryzor.com>:
> >  Marek Kubica a écrit :
> > > On Thu, 4 Sep 2008 13:25:13 +0100
> > >
> > > Pawe? Krzywicki <krzywicki.pawel@googlemail.com> wrote:
> > >>> the solution was as Cerbelle said. Login as a normal user and do
> > >>> sudo ( or you can activate root login from the login menu; but i
> > >>> personally consider it really dangerous!)
> > >>
> > >> I am wondering why this is dangerous?
> > >> If your password is seen as "strong" "FaG34#fCFD12drtfdg" something
> > >> like this for example why this is dangerous?
> > >
> > > The point is, that 1) not too many people use strong passwords 2)
> > > having root access allowed makes it [easier] to break in, since the
> > > username is known as it is always "root". User-accounts might be named
> > > pawel, pawelk, krzywicki or be completely unknown for the attacker.
> >
> >  Even though this principle is true, it seems to me it is not in
> >  application on every system.
> >
> >  Try to login on any Lenny box console with an invalid account.
> >  You will get "Incorrect login" without being prompted for a
> >  password at all.
>
> What?  And you get a shell prompt?!?
>
> >  I tend to consider this as a quite bad bug, but it seems it has
> >  been so for a while in Lenny, and even in upstream PAM.
>
> reportbug, search bugs.debian.org, ask in debian-mentors@lists.debian.org,
> ...
>
> The "What?!?" was meant seriously.  The closest I've come to running
> Testing is Sidux which is Sid based, so I can't easily verify this.  I
> find it's difficult to believe that Lenny really does this, but what
> do I know?  Can anyone confirm?
>
I was curious, so I tried this on a recent daily netinst iso.  Using an 
incorrect username does bypass the prompting of a password, and goes back to 
the login prompt.  You get five tries, before issue is reprinted and the loop 
starts over again.  The interesting thing is that if you enter the correct 
username and password on the fifth try, it will still fail to login and claim 
max tries exceeded, and start the loop again.

I never got a shell for an unsuccessful login, although I also didn't get a 
shell for a successful login on the last attempt.

>
> --
> Any technology distinguishable from magic is insufficiently advanced.
> (*)    http://blinkynet.net/comp/uip5.html      Linux Counter #80292
> - -    http://www.faqs.org/rfcs/rfc1855.html    Please, don't Cc: me.



-- 
Thanks:
Joseph Rawson

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

References:
- Root login
  - From: "kishore@vodafone.it" <kishore@vodafone.it>
- Re: Root login
  - From: Vincent Deffontaines <vincent@gryzor.com>
- Re: Root login
  - From: "s. keeling" <keeling@nucleus.com>

Prev by Date: Re: Root login
Next by Date: Re: Root login
Previous by thread: Re: Root login
Next by thread: Re: Root login
Index(es):
- Date
- Thread