LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Lost root password, can't reset (https://www.linuxquestions.org/questions/linux-security-4/lost-root-password-cant-reset-768500/)

MrMcGoo 11-11-2009 02:44 PM
Lost root password, can't reset
 
My wife's computer might have been entered. It's connected to my firewalled router and is running SUSE 10.2. My computers run BSD.

Anyway, I had to use YAST to install a printer, on her machine, as root, and discovered that the root password no longer worked, which caused me to become suspicious.

In order to enter rescue mode, one needs the install cd which I didn't have. So, I booted a Knoppix cd to edit the /etc/shadow file. I found that there was no encrypted root password, only an asterisk between the two colons. I deleted it, and then could log onto SUSE as root without a password.

However, all attempts to reset the root password with passwd fail. Typing "pwd" confirms I'm logged in as root, but after typing "passwd" I'm prompted for a password, which of course there is none.

Actually, I don't want to fix the problem in SUSE as I was going to install BSD anyways. I have all her stuff backed up and will wipe the hdd before the new install.

I'm just curious about the root password problem. Any thoughts here?

pixellany 11-11-2009 03:08 PM
"pwd" gives you the current working directory---not the login name. For the later, enter "users", or "whoami".

Did you become root by entering "su" or "su -"?

If you are not logged in as root, then "passwd" wants a password before it will go further.

You can boot into single-user mode and become root with no password required---like so:

when the grub menu appears, hit any key to stop the count, then "e" for edit.
select the kernel line, and "e" again.
Add the word "single" to the end to or the line
hit return and then "b"

MrMcGoo 11-11-2009 04:24 PM
About "pwd" - sorry, my typo. wanted to say "whoami" which does confirm that I am logged in as root.

No su done. The etc/shadow file should contain the encrypted or hashed up root password between the first two colons. Remove those characters and then, after reboot, login as root is automatic without password. Quote the SUSE BIBLE - "You will find you can now reboot the system as root without a password." This is true.

As I have explained, although I am indeed logged in as root, when I attempt to reset the root password, it asks me for a password. Obviously, I cannot give one as firstly, the original one got busted, and secondly, I wiped out the asterisk that somehow found its way into where the hashed password should have been. Most importantly, I am already logged in as root, but passwd asks for a root password.

There is no grub menu. Rescue mode is what SUSE wants, and it's the mode I chose. I guess this is the SUSE version of single user mode.

chrism01 11-11-2009 07:43 PM
I think you'll find its asking for the new passwd, even though the prompt doesn't say 'new'.
It'll look something like

passwd >
Re-enter passwd >

pixellany 11-11-2009 08:06 PM
Code:
mherring@Ath ~]$ su
Password:
[root@Ath mherring]# passwd
Enter new UNIX password:
Retype new UNIX password:
(I purposely entered different passwords so it would abort)

MrMcGoo 11-11-2009 10:36 PM
Would someone please READ my question? I know how to reset a root and/or user password. This hasn't a thing to do with SU.

It has to do with the fact that when I wanted to be root, the root password was not accepted. I had it written down, used it before, and then it no longer worked. Either SUSE screwed up or someone, on the WAN not LAN, had gained access and changed it. It is a security, not a how-to question.

The root password (IN SUSE) is stored on the first line of the file /etc/shadow, not in its original state, but in a hashed/encrypted format. It is seen as a bunch of mishmash characters, separated by colons. The idea is to delete the characters between the first and second colons. Then one can log on as root without needing to enter a password.

Great, but you must have install cd#1 where you log into rescue mode to do this. Lacking the install cd, I did it by booting a Knoppix cd which automatically logs the user on as root. I then deleted all the hash characters between the first and second colons. Either way, the result is the same.

Now, I get logged on to SUSE as root without entering a password! YESI DO. Once logged on as root, I issue the command "passwd" and the o/s responds with "changing password for root" - then immediately "password: user not known to the underlying authentication module."

Thus, it is not possible to reset the root password.

Please understand: I don't want to fix the problem. Tomorrow, SUSE will be history, and my wife will be running BSD.

The question is: Given these circumstances, is it possible that my wife's computer was hacked, and for what possible reason?

evo2 11-12-2009 01:03 AM
Quote:
Originally Posted by MrMcGoo (Post 3753357)
However, all attempts to reset the root password with passwd fail. Typing "pwd" confirms I'm logged in as root, but after typing "passwd" I'm prompted for a password, which of course there is none.
I agree it is strange that root is prompted for a password when running passwd.

However, no password, just means an empty string right? So what happens if you just hit enter?

One more question did you try running passwd both with no argument and explicitly as 'passwd root'?

Methinks it's some strange SUSE specific thing.

Evo2.

PS. Sorry, no idea about your actual question regarding if you wife's machine was cracked.

abefroman 11-12-2009 04:57 AM
Just boot it into single user mode.


All times are GMT -5. The time now is 11:41 AM.