LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-28-2012, 03:51 AM   #1
Exitcode127
LQ Newbie
 
Registered: Nov 2012
Location: London
Distribution: CentOS
Posts: 2

Rep: Reputation: Disabled
Thumbs up One time root password script


Hello guys,

This is my first post on this forum

Often when I travel, I have to connect to my boxes from machines I don't have control over (eg. customer site).

My idea is to create a script that changes the root password of a server after every login. The passwords would be kept in a coded format in a file and shown once when the script is initiated. Let say the script gives me a list of 20 future passwords. Then, everytime I need to login, I have to use next password in the list. After every successful login, the script would automatically change the password and apply the next one in the list.

My machines use mostly md5 based passwords ($1$) with a salt. I am trying to understand how the server generate the string stored in the shadow file. I would like to know the manual steps to go from a passwd to the string in the /etc/shadow file.

You help is appreciated.

PS: if the script is good, it will be made avaible to the community.
 
Old 11-28-2012, 04:03 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
plenty of examples out there...
Code:
echo "password"|openssl passwd -1 -stdin
I'd suggest that using a root password at all is the problem, why ever allow root logins? log in as a normal user, then su with the known root password over a secure encrypted session. Or use "sudo -i" and have no root password involved in the process at all. I see where you're coming from, but I think it's a bad idea. You're reinventing the wheel and making it square.
 
2 members found this post helpful.
Old 11-28-2012, 05:27 AM   #3
Exitcode127
LQ Newbie
 
Registered: Nov 2012
Location: London
Distribution: CentOS
Posts: 2

Original Poster
Rep: Reputation: Disabled
Thank you It points me to the right direction.

Even with a user account, the problem would be same if someone is logging what I type in the keyboard. The script can work with root account or any other account.

For my eBanking, my banks gives me a list of 100 passwords and every time I use one, I tick it in the list. So for next login, I would use a different password.
 
Old 11-28-2012, 05:55 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
Hmm OK keyloggers... good point.

here then I'd suggest a formal OTP solution. I know there are pure GPL solutions out there, but something like openotp would work well with a smartphone and less than 25 user accounts - http://www.rcdevs.com/products/openotp/
 
Old 11-28-2012, 08:21 AM   #5
Turbocapitalist
Member
 
Registered: Apr 2005
Distribution: Ubuntu, Debian, OS X (bsd)
Posts: 144

Rep: Reputation: 27
Better to invest your time in one of the existing systems, unless you will make a better one.

s/key and opie seem to be gone, but otpw seems to be around still.

If you can tolerate dongles, yubikey seems to be rising in populuarity.
 
Old 11-28-2012, 10:44 AM   #6
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,263

Rep: Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085
I think that the time will quickly come, either when you can't log-in any more, or when your "secret" paper list of passwords gets pick-pocketed and photocopied.

I would, first of all, bring a computer with me and set it up with password-protected (encrypted...) VPN certificates to allow access to the target servers. Access to the servers e.g. by SSH or other means is not possible, except through the VPN tunnel, and access to the tunnel is only possible for a bearer of a currently valid certificate (i.e. you) who knows the encryption key for the same and is thereby able to use it.

Actually, password-free SSH logins, using once again digital certificates (encrypted, again) is stronger in my opinion than any password system. And, this SSH cannot directly log-in to root.

It must be used to log-in to a maintenance account which might be the only member of the "wheel" group or otherwise via PAM the only one who can from there gain access to root. This maintenance account has read/write access to directories and files of elevated concern, such that full root access is not required to get to those files. (The maintenance account is super but not super-duper.)

So, a keylogger wouldn't do any good: you have to steal your laptop, hold a gun to your head to get the encryption key for the certificate, and so on . . .
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Root Password Change Time Stamp SimhaK Linux - Security 2 11-26-2009 07:11 AM
Suse 10.3: Root password is needed every time I want to print linuxlainen Linux - Newbie 6 03-14-2008 04:05 AM
How to set root password on Suse Linux (not asked for it at install time) trashcan Linux - Software 5 12-18-2006 12:33 PM
asking for root password from within a shell script win32sux Programming 11 08-27-2006 02:42 PM
Root Password Script? wellington Linux - Software 5 05-30-2006 12:21 AM


All times are GMT -5. The time now is 02:35 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration