LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-19-2004, 01:33 PM   #1
jev-bird
Member
 
Registered: Jul 2004
Location: USofA
Distribution: Whatever runs accordingly.
Posts: 200

Rep: Reputation: 30
Help! root has two passwords!


Is it possible for root or any other user to log in with two different password.

Lets say your passwd is "boyz&girlz" and you can also log in with "girlz&boyz"?
 
Old 11-19-2004, 01:57 PM   #2
iago
LQ Newbie
 
Registered: Nov 2004
Location: Canada
Distribution: Slackware
Posts: 26

Rep: Reputation: 15
It's theoretically possible for an account to have many different passwords due to "collisions" in hashing.

For example, this is from /etc/shadow on my laptop:
test:$1$WuG1uFab$UqIHwmx/gSMkk05dNUohn/:12741:0:99999:7:::

It's possible that the encrypted password, "$1$WuG1uFab$UqIHwmx/gSMkk05dNUohn/", is also the encrypted version of another string.

I don't think it's possible to do it intentionally, though, but I could be wrong about that.
 
Old 11-19-2004, 02:10 PM   #3
bignerd
Member
 
Registered: Nov 2004
Distribution: FC1, Gentoo, Mdk 8.1, RH7-8-9, Knoppix, Zuarus rom 3.13
Posts: 98

Rep: Reputation: 15
To put iago's response into perspective... he is absolutely correct in that it is theoretically possible to have a collision in the linux password hash. Linux by default uses md5 with a salt. md5 has been theorized by field professionals to have a collision weakness. SHA-1 on the other hand has not to my knowledge ever had this statement made. But that's off topic.

There is a project under way that harnesses the power of THOUSANDS of computers to crunch the huge numbers required in an attempt to actually discover an md5 collision. Currently none has been found and it is projected that at the current rate it will be over 2 years before the first collision is even expected. This is not factoring in the use of a salt which adds yet another magnitute of difficulty.

So there is your perspective. Is it possible? Absolutely. Is it probable that this will ever cause you a problem? Probably not.

There is a better chance that Elvis didn't die and was sucked into a worm hole and is the 'king' of an alternate universe.

-b
 
Old 11-19-2004, 02:19 PM   #4
jev-bird
Member
 
Registered: Jul 2004
Location: USofA
Distribution: Whatever runs accordingly.
Posts: 200

Original Poster
Rep: Reputation: 30
The other password was weaker though. It was just alpha characters while the other initial password and the only one I recall setting contained many different types of characters not just letters.
 
Old 11-19-2004, 03:25 PM   #5
iago
LQ Newbie
 
Registered: Nov 2004
Location: Canada
Distribution: Slackware
Posts: 26

Rep: Reputation: 15
Quote:
Originally posted by bignerd
[B]To put iago's response into perspective...
You're absolutely right, the odds are incredibly small that this is what happened.

More than likely, if you've seen this, it's happening for a different reason.

Perhaps more details would help:
- What distro are you using? (Sorry, I just looked. I'd bet your whole problem is that you're using Linspire :P)
- How did you discover this phenomenon?
- Can you give us the line for the account in /etc/passwd and /etc/shadow? It's understandable if you can't.
- Is it possible that somebody has installed a backdoor?
- Do both passwords work for logging in from tty, logging in via ssh, switching user view su, etc? If it's just occuring through, for example, ssh, it's possible that there's a backdoor there.
- Do a google search for the password that shouldn't be there, see if it's associated with any known trojans or backdoors. It's possible that, if it IS a backdoor, the password could be set by whoever installed it. But check anyway.

Hope this helps.
 
Old 11-19-2004, 03:35 PM   #6
jev-bird
Member
 
Registered: Jul 2004
Location: USofA
Distribution: Whatever runs accordingly.
Posts: 200

Original Poster
Rep: Reputation: 30
I'm using Debian Sarge. Well I just happen to log in and the password I used was from the same password on my windows box. So I sort of forgot and used that passwd but it worked. And then when I put the real root password in it worked too. So I switched vt's and logged in under regular user with same password that was on my windows box and it logged right in. So I have since changed the passwd's.

Any ideas? So basically although I only tried it on the root account and another user account that simple password worked for both and the initial passwords that were set for root and the other user worked too.
 
Old 11-19-2004, 03:42 PM   #7
iago
LQ Newbie
 
Registered: Nov 2004
Location: Canada
Distribution: Slackware
Posts: 26

Rep: Reputation: 15
So there was a second password that somehow had access to more than one of your accounts? Does it still work on any of the accounts, particularely after changing your password?

I've never heard of anything like this, but it may be completely possible that it's a tool or something that somebody else would be better suited to helping you figure out :-/
 
Old 11-19-2004, 03:52 PM   #8
jev-bird
Member
 
Registered: Jul 2004
Location: USofA
Distribution: Whatever runs accordingly.
Posts: 200

Original Poster
Rep: Reputation: 30
Since I changed passwords the weak one does not work anymore on niether account. I do some investigating cause this box might be compromised or at least it was and thanks for your help.
 
Old 11-19-2004, 03:58 PM   #9
iago
LQ Newbie
 
Registered: Nov 2004
Location: Canada
Distribution: Slackware
Posts: 26

Rep: Reputation: 15
Did you only change the password for "root"?
 
Old 11-19-2004, 05:47 PM   #10
jev-bird
Member
 
Registered: Jul 2004
Location: USofA
Distribution: Whatever runs accordingly.
Posts: 200

Original Poster
Rep: Reputation: 30
Yeah I changed both. Someone or some group of poeple have been targeting me over the past few months. ANd I've got the proof I just need a bit more.
 
Old 11-19-2004, 08:05 PM   #11
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Try just using some random password. If it works, then your authentication is borked, which usually is indicative of being rooted. The likelihood of a hash collision is less than that of you being crushed by a meteor while being simultaneously struck by lightening and attacked by a shark.

--edit---
Also note that some auth schemes only use the first 8 characters of your password, so AAAAAAAA1 and AAAAAAAA2 would both be accepted.

Last edited by Capt_Caveman; 11-19-2004 at 08:09 PM.
 
Old 11-19-2004, 11:06 PM   #12
JARofHERB
Member
 
Registered: Apr 2004
Location: Pacific Northwest
Distribution: Debian unstable
Posts: 60

Rep: Reputation: 15
I dont even have a root account,,or root password..I use sudo for every root action i need..much better i think!
 
Old 11-20-2004, 01:06 AM   #13
jev-bird
Member
 
Registered: Jul 2004
Location: USofA
Distribution: Whatever runs accordingly.
Posts: 200

Original Poster
Rep: Reputation: 30
Well the only thing with sudo I need to learn more. Sudo is only good if you utilize it right. For example giving sudo access for "only" certain commands. Like in a default sudo conf file in /etc/sudoers it defeats the purpose if you allow a regular user to run just any command with sudo. Cause I don't like the "ALL" thing where they can run anything as sudo.

Does anybody know what I would add to only allow sudo for certain commands like apt-get, ifconfig, killall etc.?
 
Old 11-25-2004, 06:23 PM   #14
capybara
LQ Newbie
 
Registered: May 2004
Location: 20 min to tj
Distribution: debian
Posts: 9

Rep: Reputation: 0
weird stuff - exactly like this two root passwords -
in /etc/passwd or /etc/shadow is a very prime indicator of being rooted.
have you run chkrootkit or rkhunter?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
two root passwords openbysource Red Hat 4 12-02-2005 07:19 AM
Default Root Passwords? Pauli Linux - General 7 09-01-2005 11:35 AM
Multiple root passwords xp1o1d5 Linux - Security 2 07-06-2005 10:00 PM
two root passwords!!!! mufy Linux - Security 9 01-06-2005 05:10 AM
MySQL root passwords ridertech Linux - Software 4 05-11-2004 10:24 AM


All times are GMT -5. The time now is 01:03 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration