Fedora Security :: Encrypted HDD Password Entry Delay?
Apr 12, 2009
I have F10 installed on my laptop with disk encryption enabled. When I boot the machine I get a "Password:" request on screen but can't start typing for 30 seconds or more.Presumably the OS is not ready. This means I have to wait at the keyboard tapping a key until I see asterix. It's a waste of time and frankly a bit clunky for a modern OS. How can I change the behaviour so that the "Password:" request only appears when I can actually type?
View 4 Replies
ADVERTISEMENT
May 5, 2010
Didn't know where to post this as it doesn't really call under desktop or installations haha.Anyway, I have a bit of a problem. I've Installed Ubuntu 10.04 with and encrypted LVM password and it went on ok. When booting up the computer it comes to the screen where you enter your password to unlock the LVM which looks great.However after installing the NVidia graphics driver for the laptop and rebooting, the LVM password entry screen seems to be too big to fit on the screen, not looking very good....
View 5 Replies
View Related
Jan 31, 2010
There was a recent thread in this forum regarding capturing of SSH passwords via the use of wireshark. The thread subject was closed, which is a decision that I both agree with as well as agree with the reasoning behind. The thread, however, raised a point of curiosity and concern that I would like to ask about. Quoting from a the book, SSH, The definitive guide,
The client authenticates you to the remote computer's SSH server using an encrypted connection, meaning that your username and password are encrypted before they leave the local machine. The SSH server then logs you in, and your entire login session is encrypted as it travels between client and server. Because the encryption is transparent, you won't notice any differences between telnet and the telnet-like SSH client.
I was under the impression that SSH was impervious to this type of eavesdropping, and quite frankly I take great comfort in that idea. I personally, only allow RSA keys for SSH access and (hopefully) avoid this problem (?) as a result. Does SSH really have a vulnerability in that the authentication is sent via plain text? How to ensure the security of SSH and not on anything that could be considered a how to 'crack' it.
View 6 Replies
View Related
Apr 25, 2011
I'm running Thunderbird with Enigmail, and I have this very annoying problem. When I open an encrypted email for the first time, it asks me for my key password. It then remembers my password. This is fine for a few minutes, since I don't want to enter the password every time if I look at seven emails in five minutes. However, I WOULD like it to EVENTUALLY forget. At the moment, it doesn't even forget if I shut off Thunderbird. I have to restart my computer, in fact.
The preferences for Enigmail don't help. I've configured it to remember the password for 0 minutes, for example. I don't know how to edit the preferences for gpg-agent or anything else like that.
View 2 Replies
View Related
Mar 10, 2010
When I first installed 9.04 (from scratch), I chose the option to have my entire account encrypted... I used the same password as my login password, and wrote down the key hash that it displayed for me just like instructed... everything was working terrific...Well, yesterday, I wanted to change my account password. I changed my account password, and it took effect immediately (I tested it by using "sudo -s" to see if I could elevate to root from the terminal... worked just fine). Being satisfied with my new password, I shut my computer down...
The next time I started it up and tried to log in to my account, it I put in my username and password and pressed enter, and it accepted it just fine, and started to boot to my desktop... it then immediately prompted me with something about "your session lasted less than 10 seconds, try starting in failsafe mode" or something along those lines, and immediately booted me out and back to the gdm login screen... I thought it was just a glitch so I tried again... same thing... gave me the "less than 10 seconds" prompt and booted me back to the gdm...
I thought maybe my filesystem became corrupted, but I didn't give up... I attempted to login to my fiancee's account, and it worked just fine! Using her account, I was able to quickly and safely boot into her desktop environment with no errors...I opened a terminal and used the "su" command to access my account... When I did this, it gave me some kind of error and told me to run ecryptfs (can't remember exactly which command... now). I ran ecryptfs and put in my NEW password... it told me that the passphrase was incorrect. So just out of curiosity, I ran it again, and this time put in my OLD passphrase, and it worked immediately! At this point, I realized that my gdm login password got changed, but my ecryptfs passphrase did not, and the two were not matching up (I assume that on login, gdm passes this password on to ecryptfs, and that when the two did not match up, it was booting me out with the whole "session lasted less than 10 seconds" prompt...)...
So what I did at this point was, while logged into my girlfriend's account, I "su"'d into my account, and used the passwd command to change my password back to my OLD password... once the password was changed back successfully, I restarted my computer and tried to log into my account from the gdm... worked perfectly this time with the old (original) password...When you change your session password, shouldn't it automatically change the encyrption password to match? Or at the very least, warn you that if your account is encrypted, you must take further steps to make these two passphrases match? Also, what command would I use to change my "ecryptfs" password to manually match my session password?
View 4 Replies
View Related
Nov 27, 2010
I've created encryption systems on servers, but nearly always I have stored the password somewhere on the machine itself. The file is always 0600 to the relevant user, but a systematic analysis of my system could easily find the scripts that invoke decryption and discover the password. (The most blatant example of this is mounting SMB shares with the "-o credential_file" option where both the username and password are plain-text. In the cases where I've used this, the security of the share hasn't particularly mattered.)
Soon I might be faced with storing "patient health information" (PHI in the healthcare world) whose privacy is heavily regulated by the provisions of the US law called HIPAA. I've been thinking about creating an encrypted partition to hold the PHI, but I need a highly fault-tolerant method for obtaining the key from a different machine than tha server itself. At first, I thought about running a script using scp and shared keys to copy the key from the remote, use it to decrypt the partition, then erase it. I'd like to be able to do this with a pipe; otherwise I'll write the key in a non-persistent location like /dev/shm.
I need more than one machine to make this work to ensure I can obtain the key when needed (like at boot). One solution is to place copies of the key on multiple servers and try each of them until I find it. A more elegant solution would place the key in a DNS TXT record. I suspect I could use LDAP for this as well, but OpenLDAP and I have never really been on speaking terms. So does this make sense? I presume I can write a bash script to do all this at boot. Most of what will be stored in this partition is the PostgreSQL database in /var/lib/pgsql and perhaps some other files.
My understanding of encrypted file systems is that they are only encrypted when unmounted. When mounted they must be as visible to the operating system as an unencrypted partition. I suppose you could apply encryption to every single disk transaction, but that would require knowing the key all the time, and would seem to add a lot of overhead.
View 1 Replies
View Related
Oct 26, 2010
I have been connecting to ssh but now it takes longer time to prompt for username and also password.Can any one tell what is the reason why it takes time
View 3 Replies
View Related
Mar 7, 2011
I installed Ubuntu 10.10 64 on my laptop with the entire 500gb setup as encrypted LVM. This has worked well for several months with no problems. During this time i have been backing up the data to an external usb drive (1tb) on a regular basis. The usb drive was not encrypted. So, I thought it would be a good idea to encrypt the backup drive too. I wiped out the backup drive and set it up as one large encrypted lvm and mbr. This seemed to work fine but immediately afterwards I decided to erase that and set it up as encrypted lvm guid instead of mbr. I couldn't delete it while logged into my desktop so i decided to do it from a bootable gparted usb stick. In gparted i erased the 1TB backup drive once again and planned on setting it up the way I wanted once I was logged back into my ubuntu desktop. Now I cant boot into my desktop with the following errors:
cryptsetup: evms_activate is not available b0d) does not begin with /dev/mapper/
Then after waiting for a few minutes I get an error followed by (initramfs)
When booting from a live version of ubuntu the 250MB boot patition is recognized and 500 partion is there but it is labeled as empty/unused.
Also, I did choose to use the exact same passphrase as what is used on the main bootable drive when I set up the encrypted partition on the external 1TB drive.
View 9 Replies
View Related
Jan 5, 2010
I've just started using ubuntu one. However, some of the files I store on there are sensitive so I encrypt them using seahorse. Right click, encrypt etc etc. My question is, is there a way to automatically get the encrypt process to delete the un-encrypted file when it makes the new encrypted copy?
View 6 Replies
View Related
Jul 27, 2011
I just upgraded from F14 to F15 and have a problem with entering the password for the encrypted FS: when booting with the latest entry in the bootloader:
Quote:
kernel /vmlinuz-2.6.38.6-26.rc1.fc15.i686.PAE ro root=/dev/mapper/vg_anonymous-lv_root rd_LUKS_UUID=luks-3ef72221-1165-46a6-ab69-3932e22e9d4f rd_LVM_LV=vg_anonymous/lv_root rd_LVM_LV=vg_anonymous/lv_swap rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=de
initrd /initramfs-2.6.38.6-26.rc1.fc15.i686.PAE.img
[Code]....
View 1 Replies
View Related
Mar 4, 2010
I have installed fedora 11 in my system. While installing it asked me encrypted password which i passed. But I forgot that. Now the problem is whenever i boot my system before going to root itself it is asking for volume encrypted password, which as i told you i have forgot. Now i am not able to access my hard disk since it is completely locked. Is there any way to decrypt the password or unlock it. Or if that is not possible can data be recovered,which is my primary requirement..
View 6 Replies
View Related
Aug 18, 2010
I run fedora 13 on my laptop (dual boot with Windows 7) and I just created a new partion to hold sensible data, encrypted with LUKS. I followed this tutorial for creating it.Now, everything went well and the new partition works well. But I needed something a little different from what the tutorial suggested, because I don't want the partition to be mounted on the system each time it boots, but I would (unlock and) mount it manually when I need it.
To do so I just didn't follow the Tutorial steps from 7 to 13, thinking that without the changes to crypttab and fstab the partition wouldn't be even touched by the start up process. And that's partially true: the partition isn't mapped nor mounted in the system when I boot, but the problem is that it however keeps asking for the passphrase to unlock it even if it doesn't get mounted or mapped.It just asks for it before the system loads all it's parts (udev, filesystems, etc) and I can't understand why, what it uses it for if it doesn't unlock it.So my question is: why does it ask for the passphrase to unlock luks if I haven't set crypttab and fstab to mount the partition on start up?
View 2 Replies
View Related
Dec 2, 2010
I like to do a minimal install, and then run some of my own scripts to install the rest of the packages I need, so to keep a lean system. When installing F14 with a partitioning scheme as follows:
Code:
/boot - 500MB
LVM
- swap - 2048 MB
- / - 15GB
- /home - Rest of file system - Encrypted
Everything works fine and the encryption works with no problem. However, as a friend pointed out to me, if you partition as follows:
Code:
/boot - 100MB/ - Rest of filesystem - Encrypted You are not able to boot the system when doing a minimal install. Meaning: you get up to the point to where you need to enter your password to decrypt the filesystem, and then nothing but..., well, nothing. However, and here it gets interesting, if you use the same partition layout, and you install the "Graphical Desktop", everything works fine. As I can not understand why this happens, I am currently testing a partition setup like so:
Code:
/boot - 100MB
LVM - Encrypted
- / - Rest of filesystem
Just to see if that works.
Anyhow: to make a long story short: It seems that the minimal install "forgets" to add some packages which are needed to decrypt the filesystem. Does anyone know which package this could be or why this occurs, so it can be added as part of the minimal install?
View 4 Replies
View Related
May 20, 2010
Anyone had any experience with unlocking a LUKS encrypted root partition via ssh? It is ok to leave /boot unencrypted.
There are a few pages from google with the debians variants, archived by putting dropbear into initrd.
I like to do that with my fedora/centos remote servers, but struggle to find any resources specific to it. Anyone has any suggestions and thoughts as to what might be a suitable way forward?
View 2 Replies
View Related
May 14, 2010
delay the retry response from SSH (for, say, 10, 20 or 30 seconds) when a bad password is tried by a whacker? I mean, when I'm getting hit by 10 or more break-in attempts, is there some way to make SSH delay the next try from the site that's trying?I seem to remember something about this but haven't been able to find it and, so far, reading the SSH documentation hasn't been
I have DenyHosts running (that puts entries in /etc/hosts.deny after a few tries to break in) and I completely block China, Korea and a few others that are a constant annoyance with IPTABLES but I do get hit pretty much every day and would like to discourage the bastards as much as possible (the hits are a second or so apart which tells me they're automated and I figure delaying the response will discourage 'em).For example, here's the overnight entries from /var/log/messages (the "refused connect" are from /etc/hosts.deny entries generated by DenyHosts):
Code:
May 13 03:49:50 fubar sshd[30255]: refused connect from 200.49.226.12 (200.49.226.12)
May 13 03:51:27 fubar sshd[30256]: refused connect from 200.49.226.12 (200.49.226.12)
[code]....
View 12 Replies
View Related
Feb 22, 2010
Before upgrading to Lenny there was no noticeable delay between entering a username & the prompt for a password when logging in via ssh. Now there is about a 5-second delay which is rather annoying. There is no delay when logging in through the Gnome UI. Anyone know why the delay is there? Is it something about ssh under Lenny? Is there a setting that can be changed?
View 1 Replies
View Related
Jan 21, 2009
I need a FREE solution that can image an entire Luks system encrypted volume and the rest of the used HDD, the MBR and /boot partition. Note: MBR and /boot are not encrypted. Note 2: I want to be able to restore entire drive from image with only a couple of steps. Note 3: Destination HDD space is a factor. Image file must be compressed and the image file must be around 40 to 50 GB or less. The smaller the image the better.
I have used clonezilla live cd before but not for encrypted volumes. I know you can install it in Linux. But, I don't know how to configure it after installation. I would be very happy if someone could tell me how to configure clonezilla in Fedora. How to guides are also welcome. I have one more question. If I image the encrypted volumes and all the stuff I mentioned above while logged in to Fedora, and I restore the drive from the image, will the recovered drive still be encrypted?
View 8 Replies
View Related
Apr 27, 2010
Does anyone know a method for setting the timeout period for failed logins on Linux RHEL5.x systems? Linux docs say to set the failed login delay paramter in /etc/login.defs to the desired seconds. I did this, but the settings have no effect, ie weather set to 2,4,10, etc, the actuall failed login timeout period(which I verified with a stopwatch), never changes.
View 1 Replies
View Related
Jan 15, 2011
Question: Installation had me entering my password many times, seemed like for most everything I did during install & setting up the desktops. It was a little frustrating compared to what I was used to with Ubuntu. I know this frequency will reduce once settled in although Linux and "fiddling" go together so some will continue. When using Ubuntu I was able to set that up to bypass some password need, not all. I was hoping there are options for that with Debian but my efforts all day yesterday failed to find any. I am not looking to eliminate password use entirely and I don't expect it to be just like Ubuntu either, however...
My main areas of frequent password use that are new to me with Debian Squeeze are:
1)All partition mounting. Using Ubuntu I edited fstab using a tool called "Storage Device Manager" so that only myself, not "users", had full read-write access to all partitions at boot time. However, none of those fstab codes or any new ones that I tried seemed to work in Squeeze. Besides Squeeze, I have two ntfs and one ext3 partition to access. Example: my music files are on an ntfs partition and I have to enter a password to listen to music.
2)Opening a root nautilus folder. In Ubuntu I made a custom application launcher with "gksu nautilus" and that gives you a no-password one-click access. In Squeeze, I enter a password every time.
3)Reboot & Shutdown. This one surprised me. Every reboot or shutdown requires my password unless I logout first but that adds a step. It may have something to do with a second desktop I installed (kde), I'm not sure. I tried making a script linked to an application launcher that runs "init 0" but that asked for my password too.
I'd like to be able to do 1,2 & 3 above without password entry other than maybe at the main log-in.
About me: This is my first post here, and am trying to be courteous. I checked the DebWiki, Google & this forum for answers. I found a little about ntfs partitions and saved it to a file. My situation is a Debian beginner but using Ubuntu for 7 or 8 months. My technical skills are mid-range. I use Debian on a newer dell laptop with Intel chipset and Intel CPU, triple booting Windows 7, Ubuntu 10.10 and Debian-Sqeeze-di-rc1-amd64. I installed using DVD #1, and made a local repository with DVD 1&2 and added a second kde desktop. Gnome Debian is my favorite now, it runs very well and will probably replace Ubuntu as my primary OS. Everything works that I can tell, except the Software Sources GUI does not load but I go into the source.list file and edit it manually.
View 6 Replies
View Related
Dec 3, 2010
When ever I log on to Ubuntu 10.10 I have to enter my password twice (three times if there's a time lag and the screensaver kicks in). This is very annoying, I didn't need to do that with previous versions
View 3 Replies
View Related
Apr 20, 2010
I wish to allow a user to use sudo to run a single command (service app status) to determine if my application app is running, in my sudoers file i have: user ALL= /sbin/service app status I understand that there is a parameter called timestamp_timeout that will set the timeout for the 'user', but requires at least 1 entry of the root password.
I wish to allow the user to do "sudo service app status" and not have to enter the root password ever(maybe once is ok), but still make the user enter the root password for all other root activities. Is there a way to prevent the password entry for this command only and no others?
View 3 Replies
View Related
Oct 20, 2010
I'm getting error messages or a password querry withouht entry box, if i want to apply admin changes on my system in gui tools
e.g.Software Center
Language Settings
free - gdm settins
users & groups
gksu and sudo are working with my user - it was the 1st user on the system, today i got the following message:
Quote:
org.freedesktop.PolicyKit.Error.NotAuthorized: ('system-bus-name', {'name': ':1.122'}): org.debian.apt.install-or-remove-packages
and sometimes the box apears multiple times and shakes like it does if entering a wrong password - and ends up with failed I'd be pleasant to get some help as it looks like most of the people in the german IRC don't know what to do as they thought like me these software parts would use gksu
View 2 Replies
View Related
Jul 23, 2010
Now I managed to get iptables to work with my OpenVZ configurations and everything seems to work as it should. However when I run iptables -L I can only see source for the second SSH rule, why isn't the first ones source/IP shown? Also if you have any comments about the setup feel free. I'm running SSH, Apache and local MySQL
The xxx.xxx is simply to hide my IP's
Code:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -X
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -d 127.0.0.0/8 -j REJECT
iptables -A INPUT -p tcp --dport 22 -s 77.213.xxx.xxx -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 62.198.xxx.xxx -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j REJECT
iptables -A INPUT -j REJECT
iptables -A INPUT -j DROP
View 6 Replies
View Related
May 11, 2011
After GRUB 2 comes up (I'm running Ubuntu 10.10) and I choose the OS to boot, there is about a 5 second delay where nothing appears to happen after I make the selection -- no disk activity. It happens consistently every time I boot. Again, this is after I choose the OS to boot, so it shouldn't have anything to do with the standard delay to allow me to choose the appropriate OS.Is there a good way to troubleshoot this and determine what is causing the delay?
View 4 Replies
View Related
Nov 8, 2010
I have a .rar in my Downloads, I want to unrar this file to my Music folder, but the .rar is encrypted and requires a password.
I've tried a few commands like this:
Code:
But it tells me no files to unrar.
View 3 Replies
View Related
Aug 9, 2011
I'm trying to work on the SmashTheStack wargame on Ubuntu, and I'm stuck at level 1 with using John the Ripper (JTR). I got the encrypted password and was able to run JTR on it using
Code:
but the output is
Code:
I'm pretty sure that the 'trying:' part is supposed to be the attempted passwords, but this one doesn't work, and this is the only one that gets output. When I run
Code:
I get
Code:
Which I'm guessing means that nothing happened.. what am I doing wrong, and how can I get it to work?
View 1 Replies
View Related
Jun 11, 2010
When I boot Ubuntu 10.04 then at first the login screen appears with the main user
"Peter"
and
"other..."
In 99% of the cases I use "Peter" and have explicitely to click on Peter. Only then the password entry field appears and I can enter it.
This is somehow user unfriendly. Can I define somehow a default user (here: Peter) and show immediately the password entry field (and place the cursor inside)?
View 2 Replies
View Related
Feb 9, 2010
Simply, the number of possible combinations of passwords increases as an exponent of the number of characters used and as a factor of the number of characters available for use.
26 potential characters for a 2 character password results in 26^2 possible password combinations. This means that each new character added would result in an "order of magnitude" increase in the difficulty of brute force attack.
Using a phrase, complete with punctuation and capitalization is the very best mnemonic device to remember a password. Consider this, how hard is it to remember; The quick brown fox jumped over the lazy dog.
Than it is to remember, l33tsp34kp@ssw0rd
If we pretend that both of these passphrases are generated from a character set consisting of 26 characters, the first would be one of a possible 15274273784216769021564085930704478424313742483024 510976. The second would be one of a possible 1133827315385150725554176.
In short, use a passphrase not a password, they are much MUCH more secure.
View 14 Replies
View Related
Jan 22, 2011
I tried the following instructions to set up "ssh without passwords". But this didn't work.Could someone please tell how to debug this.
View 11 Replies
View Related
May 21, 2010
So in an environment where I have 40+ sets of completely unique sets of logon credentials. The only way I've been able to manage this is by keeping them in a hidden and heavily encrypted text file in my home dir.Would like to hear alternatives to this approach if there are any, BTW. Right now I have a script that automates the process of un-encrypting the file, launching an editor and then clean-up with shred -u after editing and re-encrypting.
What bugs me is the interim where I have the file in an un-encrypted state on my drive. It doesn't seem necessary. I have a view script that allows me to see what's in the file without saving it to the drive.
View 2 Replies
View Related
