Ubuntu Security :: 9.04 Jaunty Encrypted Account And Password Changing?
Mar 10, 2010
When I first installed 9.04 (from scratch), I chose the option to have my entire account encrypted... I used the same password as my login password, and wrote down the key hash that it displayed for me just like instructed... everything was working terrific...Well, yesterday, I wanted to change my account password. I changed my account password, and it took effect immediately (I tested it by using "sudo -s" to see if I could elevate to root from the terminal... worked just fine). Being satisfied with my new password, I shut my computer down...
The next time I started it up and tried to log in to my account, it I put in my username and password and pressed enter, and it accepted it just fine, and started to boot to my desktop... it then immediately prompted me with something about "your session lasted less than 10 seconds, try starting in failsafe mode" or something along those lines, and immediately booted me out and back to the gdm login screen... I thought it was just a glitch so I tried again... same thing... gave me the "less than 10 seconds" prompt and booted me back to the gdm...
I thought maybe my filesystem became corrupted, but I didn't give up... I attempted to login to my fiancee's account, and it worked just fine! Using her account, I was able to quickly and safely boot into her desktop environment with no errors...I opened a terminal and used the "su" command to access my account... When I did this, it gave me some kind of error and told me to run ecryptfs (can't remember exactly which command... now). I ran ecryptfs and put in my NEW password... it told me that the passphrase was incorrect. So just out of curiosity, I ran it again, and this time put in my OLD passphrase, and it worked immediately! At this point, I realized that my gdm login password got changed, but my ecryptfs passphrase did not, and the two were not matching up (I assume that on login, gdm passes this password on to ecryptfs, and that when the two did not match up, it was booting me out with the whole "session lasted less than 10 seconds" prompt...)...
So what I did at this point was, while logged into my girlfriend's account, I "su"'d into my account, and used the passwd command to change my password back to my OLD password... once the password was changed back successfully, I restarted my computer and tried to log into my account from the gdm... worked perfectly this time with the old (original) password...When you change your session password, shouldn't it automatically change the encyrption password to match? Or at the very least, warn you that if your account is encrypted, you must take further steps to make these two passphrases match? Also, what command would I use to change my "ecryptfs" password to manually match my session password?
View 4 Replies
ADVERTISEMENT
Aug 3, 2010
I already posted a topic similar to this concerning the Desktop OS version, but this deals with the Netbook because unlike the Desktop, the Netbook is less cooperative. Allow me to elaborate: Today (or rather yesterday since it's not after midnight where I am), I changed my password because I was hopelessly confounded about how to get my Wireless Network card up and running after it had been installed and I was allowing my dad to use it. This issue has since been resolved, however...
When I chose my password during the original installation, there was no mention of it being "too simple." This is where the Desktop OS and the Netbook OS differ. The desktop will let me change it in the terminal without any errors. The Netbook will not. When I've attempted to revert it back to the original, it will not let me do so in the User Profile or in the Terminal. The Passwords and Encryption Keys application also does not appear to help.
So now even after I've changed it to a different "complicated" password I am still prompted to insert two different passwords since I changed my user password but I am unable to change the password I input during the installation. A bit screwy methinks. This is extremely important. I'd like to know how to change the original installation password.
If I can't change the main password on my laptop then this is a serious potential security breach just waiting to happen (especially since it's on a laptop and I will be hauling it around with me) and I will most likely install a different OS if this isn't resolved --- It would be very unfortunate since I spent the whole day fixing it and I really enjoy the interface. Luckily I can live with this on my Desktop since I'm not going to be hauling it around with me everywhere when the school year starts.
View 9 Replies
View Related
Jan 31, 2010
There was a recent thread in this forum regarding capturing of SSH passwords via the use of wireshark. The thread subject was closed, which is a decision that I both agree with as well as agree with the reasoning behind. The thread, however, raised a point of curiosity and concern that I would like to ask about. Quoting from a the book, SSH, The definitive guide,
The client authenticates you to the remote computer's SSH server using an encrypted connection, meaning that your username and password are encrypted before they leave the local machine. The SSH server then logs you in, and your entire login session is encrypted as it travels between client and server. Because the encryption is transparent, you won't notice any differences between telnet and the telnet-like SSH client.
I was under the impression that SSH was impervious to this type of eavesdropping, and quite frankly I take great comfort in that idea. I personally, only allow RSA keys for SSH access and (hopefully) avoid this problem (?) as a result. Does SSH really have a vulnerability in that the authentication is sent via plain text? How to ensure the security of SSH and not on anything that could be considered a how to 'crack' it.
View 6 Replies
View Related
Apr 25, 2011
I'm running Thunderbird with Enigmail, and I have this very annoying problem. When I open an encrypted email for the first time, it asks me for my key password. It then remembers my password. This is fine for a few minutes, since I don't want to enter the password every time if I look at seven emails in five minutes. However, I WOULD like it to EVENTUALLY forget. At the moment, it doesn't even forget if I shut off Thunderbird. I have to restart my computer, in fact.
The preferences for Enigmail don't help. I've configured it to remember the password for 0 minutes, for example. I don't know how to edit the preferences for gpg-agent or anything else like that.
View 2 Replies
View Related
Dec 27, 2010
i use ubuntu 10.04, is there a way to set two passwords for 1 user account
View 2 Replies
View Related
Nov 27, 2010
I've created encryption systems on servers, but nearly always I have stored the password somewhere on the machine itself. The file is always 0600 to the relevant user, but a systematic analysis of my system could easily find the scripts that invoke decryption and discover the password. (The most blatant example of this is mounting SMB shares with the "-o credential_file" option where both the username and password are plain-text. In the cases where I've used this, the security of the share hasn't particularly mattered.)
Soon I might be faced with storing "patient health information" (PHI in the healthcare world) whose privacy is heavily regulated by the provisions of the US law called HIPAA. I've been thinking about creating an encrypted partition to hold the PHI, but I need a highly fault-tolerant method for obtaining the key from a different machine than tha server itself. At first, I thought about running a script using scp and shared keys to copy the key from the remote, use it to decrypt the partition, then erase it. I'd like to be able to do this with a pipe; otherwise I'll write the key in a non-persistent location like /dev/shm.
I need more than one machine to make this work to ensure I can obtain the key when needed (like at boot). One solution is to place copies of the key on multiple servers and try each of them until I find it. A more elegant solution would place the key in a DNS TXT record. I suspect I could use LDAP for this as well, but OpenLDAP and I have never really been on speaking terms. So does this make sense? I presume I can write a bash script to do all this at boot. Most of what will be stored in this partition is the PostgreSQL database in /var/lib/pgsql and perhaps some other files.
My understanding of encrypted file systems is that they are only encrypted when unmounted. When mounted they must be as visible to the operating system as an unencrypted partition. I suppose you could apply encryption to every single disk transaction, but that would require knowing the key all the time, and would seem to add a lot of overhead.
View 1 Replies
View Related
Apr 12, 2009
I have F10 installed on my laptop with disk encryption enabled. When I boot the machine I get a "Password:" request on screen but can't start typing for 30 seconds or more.Presumably the OS is not ready. This means I have to wait at the keyboard tapping a key until I see asterix. It's a waste of time and frankly a bit clunky for a modern OS. How can I change the behaviour so that the "Password:" request only appears when I can actually type?
View 4 Replies
View Related
Oct 6, 2010
I'm trying to configure a process triggered by an SVN post-commit hook which will log into a different host and carry out an SVN update on a file path on that host before exiting. An earlier attempt mounted the remote filepath on the SVN host using sshfs and performed the update locally. This worked but it was incredibly slow (minutes to complete an SVN update).
So, Plan B was to set-up a passwordless login for the user the script runs as and then use pam-script to script a checkout from a repository using the same credentials. The problem is, passwordless SSH login using private/public keys appears to bypass the PAM authentication system or at least interact with it in a way that no environment variables (including the SSH user's name and pass) are resolved by the authentication script being used by pam-script.
I've tested the pam-script behaviour for normal log-ins and it exposes these variables fine. This leaves me in a Catch-22 with trying to script access on one host to perform actions on another while avoiding user/pass prompts or the need to store plaintext passwords on the remote host.
Anyone know if there's a way to resolve a user account password via PAM when using passwordless SSH or, another approach I could take to perform scripted tasks on the remote system requiring authentication? Ideally without storing the passwords on the remote system (at least in unencrypted form).
View 1 Replies
View Related
Nov 12, 2010
I remember my password very well and have no need of password recovery. Everywhere I look it's how to recover and I don't want that. The kind where you boot into root recovery console to change the password.
View 4 Replies
View Related
Feb 15, 2011
I suppose that my main Linux user account password serves as my SSH password as well. Is there a way I can modify this? As it turns out, I'd like to have a REALLY secure SSH password for obvious reasons, but a less secure local password, as it makes typing in passwords a heck of a lot easier on a machine. Is there a way I can change my account password in SSH without changing my Linux user password?
View 2 Replies
View Related
May 17, 2010
Is it possible to change the log in password? Someone set this up for me and the password is too simple.
View 5 Replies
View Related
Jul 8, 2010
I installed IPlist earlier today on my main/admin account (which I only use for installing programs. I don't use this account daily.) and everything was fine. When I logged into my every day account and tried to load the program, it prompted me for my password. When I entered it, I got this message:Quote:Failed to run /usr/sbin/ipblock start_gui as user root.The underlying authorization mechanism (sudo)t allow you to run this program. Contact the system administrator.Does this mean I am not able to use this program on this account, or is there a way around it? I'm new to Ubuntu so forgive me if I'm asking the obvious. I looked around and couldn't find an answer. I really don't want to use my admin account for daily activities, but I also really want to be able to use IPlist
View 2 Replies
View Related
Oct 19, 2009
When I installed Fedora selected the option to encrypt the hard drive. I want to change the passphrase, is there a way to change the passphrase, or do I have to re-install Fedora?
View 3 Replies
View Related
Jul 17, 2010
I use the following method for preventing the users from changing their passwords , is there any other method other than this ?ls -l /usr/bin/passwd-rwsr-xr-x 1 root root 37140 2010-01-26 12:09 /usr/bin/passwdso we need to remove the suid for that command as follows :- chmod u-s /usr/bin/passwdnow normal users won't be able to change their own passwords - and only the root user will be able to do it for them.
View 9 Replies
View Related
May 11, 2010
I want the users to access servers via ssh public key only. By default they don't know their initial password and do need to change that when performing administrative tasks.For changing their passwords without knowing the old they need to switch to root for this special case.The only case it seems I don't have control is that users can not only change their password but also the password of other peoples. Does someone sees a solution (without apparmor/selinux and special /usr/bin/passwd.sh) to restrict users to only change their password?I miss the feature of using environment variables in sudoers file.
View 9 Replies
View Related
Mar 7, 2011
I installed Ubuntu 10.10 64 on my laptop with the entire 500gb setup as encrypted LVM. This has worked well for several months with no problems. During this time i have been backing up the data to an external usb drive (1tb) on a regular basis. The usb drive was not encrypted. So, I thought it would be a good idea to encrypt the backup drive too. I wiped out the backup drive and set it up as one large encrypted lvm and mbr. This seemed to work fine but immediately afterwards I decided to erase that and set it up as encrypted lvm guid instead of mbr. I couldn't delete it while logged into my desktop so i decided to do it from a bootable gparted usb stick. In gparted i erased the 1TB backup drive once again and planned on setting it up the way I wanted once I was logged back into my ubuntu desktop. Now I cant boot into my desktop with the following errors:
cryptsetup: evms_activate is not available b0d) does not begin with /dev/mapper/
Then after waiting for a few minutes I get an error followed by (initramfs)
When booting from a live version of ubuntu the 250MB boot patition is recognized and 500 partion is there but it is labeled as empty/unused.
Also, I did choose to use the exact same passphrase as what is used on the main bootable drive when I set up the encrypted partition on the external 1TB drive.
View 9 Replies
View Related
Jan 5, 2010
I've just started using ubuntu one. However, some of the files I store on there are sensitive so I encrypt them using seahorse. Right click, encrypt etc etc. My question is, is there a way to automatically get the encrypt process to delete the un-encrypted file when it makes the new encrypted copy?
View 6 Replies
View Related
Dec 18, 2010
i changed my account password but now when i log in a keychain manager pops up and asks for the old password to join wifi.
how can i update the keychain password to match the account password?
View 5 Replies
View Related
Nov 25, 2010
I've done something a bit stupid. I've already encrypted my home folder and just set it to log in without requesting my password. When i do log in now, no startup sound plays, several error messages appear but no desktop. I think it's because I now don't have an opportunity to enter my home folder password, and it doesn't work at all. Is there any way to edit account settings from 'root' or anything because this really has crippled my computer.
View 2 Replies
View Related
Jul 12, 2011
I use kmail for fetching and sending mails from my gmail account. The inbox stuffs are saved in ~/.kde/share/ apps/kmail/mail/inbox . It is not saved in encrypted form. One can open it with any editor. Is there a way to make kmail save those fetched messages in encrypted form and when I open the kmail it will show me those mails in decrypted form?
View 1 Replies
View Related
Jan 9, 2010
Been using since summer 2009 the xserver no backfill from PPA: [URL] and it was working fine with my ATI video card. No heavy CPU usage when restoring from minimized and a general performance boost were the results of that use.But recently made an upgrade and realized that xserver-xorg-core package (check it from synaptic manager) has been upgraded to a jaunty-proposed version and the problems started to appear again!So using Synaptic I selected this package and hit CTRL-E key in order to choose the nobackfill version. This way things got back to normal!
View 2 Replies
View Related
Nov 8, 2010
I have a .rar in my Downloads, I want to unrar this file to my Music folder, but the .rar is encrypted and requires a password.
I've tried a few commands like this:
Code:
But it tells me no files to unrar.
View 3 Replies
View Related
Aug 9, 2011
I'm trying to work on the SmashTheStack wargame on Ubuntu, and I'm stuck at level 1 with using John the Ripper (JTR). I got the encrypted password and was able to run JTR on it using
Code:
but the output is
Code:
I'm pretty sure that the 'trying:' part is supposed to be the attempted passwords, but this one doesn't work, and this is the only one that gets output. When I run
Code:
I get
Code:
Which I'm guessing means that nothing happened.. what am I doing wrong, and how can I get it to work?
View 1 Replies
View Related
May 5, 2010
Didn't know where to post this as it doesn't really call under desktop or installations haha.Anyway, I have a bit of a problem. I've Installed Ubuntu 10.04 with and encrypted LVM password and it went on ok. When booting up the computer it comes to the screen where you enter your password to unlock the LVM which looks great.However after installing the NVidia graphics driver for the laptop and rebooting, the LVM password entry screen seems to be too big to fit on the screen, not looking very good....
View 5 Replies
View Related
May 8, 2010
I've set up a Lucid system with software RAID and encryption, with three encrypted partions - swap (/dev/md1), the root filesystem (/dev/md2), and /home (/dev/md3). The unencrypted /boot partition is /dev/md0.
This works well but the passphrase had to be entered three times at bootup. Obviously it would be preferable to enter the passphrase once to unlock the root partition, then have the others unlocked via key files. So I added key files to the swap and home partitions and modified /etc/crypttab to use them:
Code:
md1_crypt UUID=8066adbc-584c-4766-b188-bc2a7b61a2f0 /root/keys/swap-key luks,swap
md2_crypt UUID=bac82294-f3b9-45e4-89ad-407cf8b19b7b none luks
md3_crypt UUID=7d82a0b7-c811-4cc3-9fe7-1961c74b5ff2 /root/keys/home-key luks
The key files are owned by root and have 0400 protection. (The /root/keys
[Code].....
Since the swap partition is no longer referenced in fstab or crypttab, why is there still a bootup password prompt for it? What else needs to be done to stop it?
View 1 Replies
View Related
May 14, 2010
I want to have /boot as an ext2 (I don't need journaling and I might want to undelete something) and all other partitions in an LVM.When the server starts it will prompt me for the LVM password. I would like to be able to contact the server using SSH (or using another secure method) and tell the password. Since /usr/sbin and all the other partitions are inside the LVM I guess I have a problem?
Is it possible to setup something like this? The SSH session for the LVM authentication does not have to be a daemon. It can be something which just sits and waits until I connect and input the password. And then the "real" SSH deamon kicks in.
View 3 Replies
View Related
Feb 6, 2011
I installed 10.10nbr on my wife's eee 901. Now she cannot remember her password. I've tried booting to recovery to use the passwd command, but that does not work. I believe I encrypted the home folder when I installed. Normally if I don't encrypt home, then I enable auto-login.
View 4 Replies
View Related
Apr 20, 2010
I remember that some time ago I found a guide on the Ubuntu website about adding samba shares to mount at boot via /etc/fstab. The guide also mentioned using a credentials file to store the username and password.
However, the password was encrypted (in md5 I think) and it could not be read directly, but it still worked with fstab mount. If I remember correctly, the file contents were similar to this:
Code:
useraname = user
password = --md5
where was replaced by the encoded password. All was done in terminal. Recently I changed computers, and re-installed Ubuntu, but I forgot to save that file so I am not sure about the contents. I would like to know how to do this again, but I can't find the guide anymore. Does anyone know how to do this? Storing the password in plain text in file readable only by root is not acceptable because it can be read by someone mounting the drive from other operating system, and the share cannot be mounted/unmounted by regular users (which is possible with the md5 encrypted password).
View 1 Replies
View Related
May 21, 2010
So in an environment where I have 40+ sets of completely unique sets of logon credentials. The only way I've been able to manage this is by keeping them in a hidden and heavily encrypted text file in my home dir.Would like to hear alternatives to this approach if there are any, BTW. Right now I have a script that automates the process of un-encrypting the file, launching an editor and then clean-up with shred -u after editing and re-encrypting.
What bugs me is the interim where I have the file in an un-encrypted state on my drive. It doesn't seem necessary. I have a view script that allows me to see what's in the file without saving it to the drive.
View 2 Replies
View Related
Feb 28, 2010
I just installed CentOS 5.4 (x86_64) and I encrypted my /home /var /tmp and /mnt/Storage partitions, along with my swap partition. My only complaint is that when I boot, I have to enter my password 4 times, and I did not pick a short password. The password is the same for all 4 partitions. Is there anyway I can set things up so I can just type my password once? Once I get everything set up, I won't be booting that often, but right now it is a PIA.
View 2 Replies
View Related
