WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: root password vulnerability  (Read 3100 times)

Offline rusty123

  • Newbie
  • *
  • Posts: 1
root password vulnerability
« on: March 11, 2010, 04:22:00 PM »
It does not mention, but TinyCore comes with root user's password set to root.
Since one can simply sudo su as default user tc, it's really used or mentioned.
What happens however, that it can be overlooked at install time to change the root password (since there is nothing guiding the install process). This fact combined with the sshd_config default setting: #PermitRootLogin yes
can lead to disaster.

I suggest including change of root password in the install docs (I am not sure if it can be disabled with a "*" in /etc/shadow ??)

Offline gutmensch

  • Retired Admins
  • Hero Member
  • *****
  • Posts: 605
  • I can make it disappear, have no fear!
    • remembrance blog
Re: root password vulnerability
« Reply #1 on: March 11, 2010, 05:13:47 PM »
confirmed, default setting in sshd_config should be:

PermitRootLogin no
If I seem unduly clear to you, you must have misunderstood what I said. (Alan Greenspan)

Offline Kingdomcome

  • Sr. Member
  • ****
  • Posts: 286
Re: root password vulnerability
« Reply #2 on: March 11, 2010, 07:55:25 PM »
The packaged sshd_config is unchanged from upstream source.  But if there is enough popular demand, I can easily change that one setting.

Offline Kingdomcome

  • Sr. Member
  • ****
  • Posts: 286
Re: root password vulnerability
« Reply #3 on: March 14, 2010, 02:57:43 PM »
[edit:  removed incorrect assumption]

Never the less, I will look at adjusting the extension.

Contrary to my memory and assumption, the default config does in fact allow root login.  I will submit an adjusted extension shortly.
« Last Edit: March 14, 2010, 03:18:04 PM by Kingdomcome »

Offline vitex

  • Full Member
  • ***
  • Posts: 113
Re: root password vulnerability
« Reply #4 on: March 14, 2010, 03:35:17 PM »
[edit:  removed incorrect assumption]

Never the less, I will look at adjusting the extension.

Contrary to my memory and assumption, the default config does in fact allow root login.  I will submit an adjusted extension shortly.

Please consider changing PermitRootLogin to without-password to prohibit logins via passwords but not public keys.

Offline Kingdomcome

  • Sr. Member
  • ****
  • Posts: 286
Re: root password vulnerability
« Reply #5 on: March 14, 2010, 04:59:01 PM »
I did not edit the default upstream config, I dont believe it is my place to.  What I did was change the extension so that the user must copy the example configs to the correct names and edit to suit their situation.  I also added a warning in the info file that the default sshd_config contains possible security concerns.