|
Help! root has two passwords!
Is it possible for root or any other user to log in with two different password.
Lets say your passwd is "boyz&girlz" and you can also log in with "girlz&boyz"? |
It's theoretically possible for an account to have many different passwords due to "collisions" in hashing.
For example, this is from /etc/shadow on my laptop: test:$1$WuG1uFab$UqIHwmx/gSMkk05dNUohn/:12741:0:99999:7::: It's possible that the encrypted password, "$1$WuG1uFab$UqIHwmx/gSMkk05dNUohn/", is also the encrypted version of another string. I don't think it's possible to do it intentionally, though, but I could be wrong about that. |
To put iago's response into perspective... he is absolutely correct in that it is theoretically possible to have a collision in the linux password hash. Linux by default uses md5 with a salt. md5 has been theorized by field professionals to have a collision weakness. SHA-1 on the other hand has not to my knowledge ever had this statement made. But that's off topic.
There is a project under way that harnesses the power of THOUSANDS of computers to crunch the huge numbers required in an attempt to actually discover an md5 collision. Currently none has been found and it is projected that at the current rate it will be over 2 years before the first collision is even expected. This is not factoring in the use of a salt which adds yet another magnitute of difficulty. So there is your perspective. Is it possible? Absolutely. Is it probable that this will ever cause you a problem? Probably not. There is a better chance that Elvis didn't die and was sucked into a worm hole and is the 'king' of an alternate universe. :) -b |
The other password was weaker though. It was just alpha characters while the other initial password and the only one I recall setting contained many different types of characters not just letters.
|
Quote:
More than likely, if you've seen this, it's happening for a different reason. Perhaps more details would help: - What distro are you using? (Sorry, I just looked. I'd bet your whole problem is that you're using Linspire :P) - How did you discover this phenomenon? - Can you give us the line for the account in /etc/passwd and /etc/shadow? It's understandable if you can't. - Is it possible that somebody has installed a backdoor? - Do both passwords work for logging in from tty, logging in via ssh, switching user view su, etc? If it's just occuring through, for example, ssh, it's possible that there's a backdoor there. - Do a google search for the password that shouldn't be there, see if it's associated with any known trojans or backdoors. It's possible that, if it IS a backdoor, the password could be set by whoever installed it. But check anyway. Hope this helps. |
I'm using Debian Sarge. Well I just happen to log in and the password I used was from the same password on my windows box. So I sort of forgot and used that passwd but it worked. And then when I put the real root password in it worked too. So I switched vt's and logged in under regular user with same password that was on my windows box and it logged right in. So I have since changed the passwd's.
Any ideas? So basically although I only tried it on the root account and another user account that simple password worked for both and the initial passwords that were set for root and the other user worked too. |
So there was a second password that somehow had access to more than one of your accounts? Does it still work on any of the accounts, particularely after changing your password?
I've never heard of anything like this, but it may be completely possible that it's a tool or something that somebody else would be better suited to helping you figure out :-/ |
Since I changed passwords the weak one does not work anymore on niether account. I do some investigating cause this box might be compromised or at least it was and thanks for your help.
|
Did you only change the password for "root"?
|
Yeah I changed both. Someone or some group of poeple have been targeting me over the past few months. ANd I've got the proof I just need a bit more.
|
Try just using some random password. If it works, then your authentication is borked, which usually is indicative of being rooted. The likelihood of a hash collision is less than that of you being crushed by a meteor while being simultaneously struck by lightening and attacked by a shark.
--edit--- Also note that some auth schemes only use the first 8 characters of your password, so AAAAAAAA1 and AAAAAAAA2 would both be accepted. |
I dont even have a root account,,or root password..I use sudo for every root action i need..much better i think!
|
Well the only thing with sudo I need to learn more. Sudo is only good if you utilize it right. For example giving sudo access for "only" certain commands. Like in a default sudo conf file in /etc/sudoers it defeats the purpose if you allow a regular user to run just any command with sudo. Cause I don't like the "ALL" thing where they can run anything as sudo.
Does anybody know what I would add to only allow sudo for certain commands like apt-get, ifconfig, killall etc.? |
weird stuff - exactly like this two root passwords -
in /etc/passwd or /etc/shadow is a very prime indicator of being rooted. have you run chkrootkit or rkhunter? |
| All times are GMT -5. The time now is 08:45 AM. |