Stumped on this one. I'm trying to set up limited sudo authority on a desktop with some sensitive user data, and as an extra precaution I wanted to configure sudo to use a password other than the user's or the root's. I'm not sure how to do this. From the manual, we have a few options, such as "runaspw" or "targetpw", but none seem quite what I'm looking for.For instance, "runaspw" could be used if I created a user for nothing other than sudo(ing) purposes, but it requires you set "runas_default", which means that said user would have to have authority to execute said commands in the first place. This is workable, but seems like a lot of extra configuration for each specific command that I want to run, as well as creating some issues with simply commands such as "shutdown" or "reboot". Also, "targetpw" can be used in conjunction with a sudo(ing)-only user if I set an alias, but, again, this isn't quite what I am looking for.
Ultimately, what I am really concerned about in this situation are keystroke loggers, so I would prefer to avoid repeated entering the user or root password when performing administrative tasks. Also, I would prefer not having to create a sudo(ing)-only user as mentioned above to prevent a comprimised password resulting in an attacker being able to log into my system.
I'm trying to figure out why my industrial appliance (x86, running kernel 220.127.116.11 and OpenSSH_4.3p2 / OpenSSL 0.9.7m) accepts ssh connections without asking for a password (even for root)!When I log on to the local console as root I have to enter a password but strangely this prompt won't appear using a ssh connection (although I'm not using any client certificates).Of course that not acceptable but I just can't find the related configuration entry to disable this "password-less" authentification.Is this related to the sshd or has it something to do with the PAM module?
- Update -> While looking at /var/log/secure, I've found the following lines: Jul 18 16:55:07 localhost sshd: Accepted none for root from XXX port 6393 ssh2
When I go to single user mode for resetting root password, It ask root pawssword for login.The message displayed on prompt is "Give root password for login.On the boot prompt, I select kernel and press 'e' and after one space type 1 for single User mode and then press 'b' for booting.It shows message entering in single user mode but ask root password. Even I tried into rescue mode, but I couldn't ser root password.In rescue mode on prompt, It shows rescue login: I typed root, But when typed 'passwd' foe resetting root pawssword,It shows message unknown user and not authetication.
I want to enable sshd from Internet, but I want to secure it as much as possible.Therefore, despite the fact that the service will run on a tcp port above 2000 to prevent most scans, I would like to :- First, force the use of a client certificate, to avoid brute force attack on my users/passwords- second force the use of a username/password to avoid someone having access to my system just by stealing my key..When I look at the configuration, it's possible to enable both, but one of them is sufficient to login, but I can't find how to make them both mandatory...
I'm using Gnome and I'd like to still have the ability to reboot/shutdown from one particular account as well as root. How would I modify the chmod command to add this ability?Also, I have a few users who just will hold the power button in to shutdown the machine. How can I keep them from doing this?// Pruned from the vintage 2007 Prevent a non-root user from shutting down, rebooting or suspend the system thread. Please create new threads instead of resurrecting ancient ones.
I've been using ssh for a LONG time to connect my laptop to my desktop with no problems. I use a non-standard port (nnnnn) and keys. After a power outage that caused a shutdown and reboot, I can no longer ssh into the desktop. The only changes I've made are updates (laptop and desktop both running ubuntu 10.04).
$ ssh -p nnnnn Desktop ssh: connect to host Desktop port nnnnn: Connection refused No messages are generated in any of the logs on Desktop! $ /usr/sbin/sshd -T port nnnnn protocol 2 addressfamily any listenaddress 0.0.0.0:12023 listenaddress [::]:12023 .....
I no longer have access to my root desktop. On a session I attempted to change the root username but i apparently assigned it a wrong directory that does not exist. When I rebooted with my new root username, i was instead recognised as a simple user (no root privileges). I tried the console to change to "old" root but root password is not accepted and there is no way to access to sudoer files. it seems that inserting a new username requires root privileges and i am back to square one. Simply logging with old root username and password after restart gives me a blank screen with nothing on it and cannot even reboot.
At the RHEL prompt, I entered the standard user's username/password combo. Linux displays a message box stating:"Your account has expired; please contact your system administrator."Next, I entered "root" in the username field and entered the root password (which expired also--keep in mind that passwords are set to expire after x days). Linux displays a message box stating:"You are required to change your password immediately (password aged)."When prompted to "Enter current UNIX password", I entered the new password (was that the right thing to do?); Linux displays a message box stating:"The change of the authentication token failed. Please try again later or contact the system administrator."I rebooted the system and got into command line mode; somehow I logged in as "root" (don't know exactly how, but needed to change the password there). At the "#" prompt, I type "passwd root"; Linux displays the message "Changing password for user root", followed by the message "passwd: Authentication information cannot be recovered.
A friend of mine has told me to set a root password and use root (f.e. switching to su in terminal and work with root rights instead).Is there any way to unset the root password? I know how to use sudo now.
I found this on Bee's website. For more info on this exploit there are links there:[URl]..All you have to do in Fedora 13 is enter the following lines in a shell as normal user:
I don't think this can be considered solely an "upstream" problem, because I first tried it in Arch using the same version of glibc, and the final command causes both gnome-terminal and xterm windows to disappear.
I have recently set up two machines with F14 and on both, I am completely unable to make remote login via SSH work. openssh-server is installed and seems to work well:
I have already worked for hours on the problem now, using Google and trying numerous things, and still could not find any solution. On my other machine, which still uses F13, remote login works just fine. Is there any change in the default behaviour of the sshd I am not aware of? I would really appreciate your assistance!
Protect against root password change[Log in to get rid of this advertisement]I have recently had to force a change of the root password on a linux box I was running. It was a test system which I had not used in a while, so I forgot the root password (not so smart).Anyway, I found that it was amazingly easy to reset the root password. Here is a straight forward article on how to do it.URL...
My question is: how can you protect against this? I see this as a security hole.I understand that the user must have physical access to the computer, but if I want to lock the system down so you cannot easily enter single user mode or the root password cannot be changed.
We have a couple of clusters that are running Oracle. If you're familiar with Oracle you know that it basically has to be installed as root. Something I detest. anyway, when we are building out the box, we change the root pw and give it to the DBA team to do their installs and configs. When they are done, we change the root pw (and do not give it to them), and configure sudo to allow them the rights needed to manage Oracle and their databases.
Now however, we have a different situation. The DBAs need access to uninstall and reinstall components and make modifications on an ongoing basis. Since we only support OS and hardware, not app, they are requesting permanent root access. I promptly told them no, and the politics ensued. Their manager went to their director, who went to my director, and suddenly an exception is given for his good golfing buddy. So here I am, forced to turn lose DBAs on my clusters with full root access/pw. I need a way to allow specific users (or perhaps a specific user group) the ability to become root WITHOUT sharing the root pw with them.
I'm on Squeeze with KDE 4.4.5. Basically, I can use my password for things like logging in, or authenticating on a shell with sudo successfully. But in other cases, I am asked to "become root", and when I enter my usual password, I'm told to check if I entered my password correctly. This happens with Aptitude (terminal GUI), for example: from Actions, I try to update the package list, and when I enter my password, I can read su: Authentication failure. However, if I start Aptitude by typing kdesudo aptitude on Konsole I can enter my password in the authentication box successfully, and use Aptitude with administrative privileges.
The example is valid also for other applications, such as System Monitor: just for the sake of the example, if I try to stop a process owned by root, say Aptitude, I'm asked for a password to become root, but my password doesn't do the trick. I'll have to open it from terminal with kdesudo ksysguard, then I'll be allowed to kill that process. Does it have anything to do with my choice at installation? I think I must have chosen to leave the root password field blank, and only entered my password as a user, for it explained I could become root anytime if there was need to with sudo.
I am running Fedora 12 as Guest OS in VMware Player. I installed Fedora 12 by using a Prepackage VM . The root user name and p/w was supplied by the person who made this appliance. Is there way for me to change root user name and pw
I want to use root password instead of adding my user to the list of sudoers,In Arch wiki ander Root password:Users can configure sudo to ask for the root password instead of the user password by adding "rootpw" to the Defaults line in /etc/sudoers: but that did not work for me. it asks for root password.Why do I want to do that: 1. I want to do that, I like sudo more than su -c 'some_command'. 2. sudo enables bash completion, su -c does not. 3. I don't want to add my user to sudoers list.
I found many users Suggesting alternatives and lowering the important of my need for this, when I asked this question in anther please.
I want to run zypper without being asked for the root password. So I added the commands to the sudoers file:
Code: # User alias specification User_Alias ADMIN = XXXX #note: this is not real username. # User privilege specification root ALL = (ALL) ALL ADMIN ALL = NOPASSWD:/usr/sbin/vpnc ,/usr/sbin/vpnc-disconnect ,/usr/bin/zypper ref ,/usr/bin/zypper up
But I'm still being asked for password. I should note the the vpnc commmand is working as expected.
Is this a Fault on my part or a bug?? (not sure if this is the right place for this let me no if not i'll move it I want to add a user to Group "freevo" but if i open User settings via the GUI menus and click on the keys button to enter the root password it keeps coming back to me saying that the password is wrong even though it is'nt (and cap's is off).
So i try the terminal "user-admin" and had the same problem wrong password So i try'd "sudo user-admin" and entered the password at the command line and up pops the User settings GUI with root privileges
Found a major security hole in one of my more crucial linux servers today. (Only locally) I can use the user name "root" and any string for the password. So I can literally type "poop" as the password and the server lets me in. I know how to set root password settings for SSH and sudo, but where are settings located for local access that would allow something like this?