Remaster TC - password for root

[Alatun]

Sorry for spamming you with questions today :-)

My remastered TC with rdesktop should work in kiosk mode as I wrote earlier. Since it seems not possible to prevent users getting to the linux console, I'd like to prevent them doing bad stuff. In important step would be to assign a password for root.

To get this for a remastered version for TC I need to copy /etc/shadow to the remastered image - right?

Because my remastered TC version already contains about 20 modifications, I wrote a shell script to do all this modifcations. Now I need to modify the root password via shell script.

I already tried:

Code: [Select]

#/bin/sh
echo "myrootpw" | passwd root


Code: [Select]

#/bin/sh
echo "myrootpw\nmyrootpw\n" | passwd root

passwd only tells me, that the password for root has not been changed. No reason given.

If I change password manually and the two passwords don't match, I get "passwords don't match". If it is too short I get: "password too short".

Any ideas how to do this properly?

[curaga]

It'd be preferable to change the password on a live system, and then copy /etc/shadow and /etc/password as files.

[Greg Erskine]

hi Alatun,

Here's a snippet of code I use to change the tc password from a script. It may work for root?

Code: [Select]

echo "tc:"$NEWPASSWORD | sudo chpasswd
The position of the second quote seems strange looking at it now, but this is a "cut and paste" from working code.

regards
Greg

[Alatun]

Hi Greg,

your proposal works. I just tested it. It also works for root.

That's great. Thank you.

Regards,
Alatun

[nbctcp]

This one work with small problem
Every time I ssh using root, it will login as tc (tc home directory and userid)
tc@box:~$ pwd
/home/tc
tc@box:~$ whoami
tc


# cat /opt/bootlocal.sh
#!/bin/sh
# put other system startup commands here
/usr/local/etc/init.d/openssh start
/usr/local/etc/init.d/nginx start
/bin/echo "tc:"tc | sudo chpasswd
/bin/echo "root:"root | sudo chpasswd

How to fix that.
I want root got root home and shell

tq

[CentralWare]

Most people are going to say that allowing Root to log into SSH is a bad idea (and for security purposes, it is) but there are two options:

1. Log in as TC and to switch to "root" mode, simply type in su and enter Root's password when asked (you're now logged in as root until you disconnect or type in exit.  If you typed in exit, you'll be switched back over to TC's account.  This is the easiest and safest means to directly gain Root access through SSH.)
2. The alternative is to open the SSH gates allowing Root to physically log in. HOW to enable ROOT ACCESS will depend on which SSH server/daemon you're running.

For dropbear: simply edit /usr/local/etc/init.d/dropbear and remove the -w and -g from the line starting with OPTIONS=
For most compilations of OpenSSH, you have to edit its config file and there's a line stating #PermitRootLogin...  Replace this line to read:
PermitRootLogin=yes
For any other SSH daemon, simply Google "How to allow root with [DaemonName]

Good luck!

[nbctcp]

I can login as root but get tc shell and id.
This for lab only not for production
I already allow PermitRootLogin

As stated above I get tc home and id when remote login as root using ssh
# cat /etc/passwd
root:x:0:0:root:/root:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/false
tc:x:1001:50:Linux User,,,:/home/tc:/bin/sh

# cat /etc/shadow
root:KfoDYgDSimpPI:17697:0:99999:7:::
lp:*:13510:0:99999:7:::
nobody:*:13509:0:99999:7:::
tc:WK7nkjARDrXqU:17697:0:99999:7:::

tq

[curaga]

The "superuser" bootcode stops root's login redirecting to tc. It also affects normal boots and not just SSH logins.

[aw]

I would recommend replacing the password in the /etc/shadow file with a hashed version of your password, rather than adding the plaintext to your script. You either include your modified /etc/shadow in your remaster, or use 'sed' in your script, to change the value on boot.

You can generate the hash quite easily with:

echo -n "yourpass" | openssl passwd -stdin -1