0

I have an old Linux system which can be accessed via a public IP address.

When you connect to the SSH port you can login as root with any password. The only restriction is that the password needs to be at least 1 character long.

In the (far) past, when this system was developped, this was ok as the system was always behind a dialup modem which had its own authentication.

Since a few years the system is connected via ADSL and has a public IP address (no VPN) ... miraculously noone ever bothered with the SSH port ... until last week ...

Last week a chinese IP address connected through the SSH port, logged in with the root account, changed some system settings (including the root password), and logged out ... I could see this in /var/log/messages which I could retreive via another port.

How can I set a real password for the root account?

I tried to set it using the passwd command giving a new password, but after that I could still login with any random password (before and after a reboot)

In /etc/shadow it says the following about the root account:

root:8ZGWAPs9N9EJQ::::::

In /etc/ssh/sshd_config I see the following line commented out:

#PermitRootLogin yes

As "yes" is the default value I see nothing wrong with that.

Some info about the system:

login shows:

BusyBox v1.00-pre9 (2004.07.09-11:06+0000) Built-in shell (ash)

cat /proc/version gives :

Linux version 2.4.31 (<emailaddress>) (gcc version 3.3.2 20031022 (Red Hat Linux 3.3.2-1)) #4 Thu Sep 22 09:13:06 CEST 2005

I now closed the SSH port in the ADSL modem firewall, so it cannot be accessed remotely anymore, which gives me some time to solve this issue

I would like to give the root account a real password which has to be used with any SSH connection, preferably without having to reset the system

I believe this is possible as the system wasn't rebooted last week and all processes were still running, but I couldn't login into the root account anymore with any password.

[EDIT]

as pingz suspected this seems to be caused by nullok in /etc/pam.d/system-auth

is it possible to edit this file and load the new settings without having to stop any running processes?

the first lines of /etc/pam.d/system-auth show :

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.

If I now remove nullok from this file, and somewhere in the future the system is rebooted, will nullok be back, or will my change remain?

Hrqls
  • 133
  • 2
  • 8
  • With the help of pingz the source of the problem is located, but now i have some problems with the new root password .. but I posted that as a new question, this time on Unix & Linux : https://unix.stackexchange.com/questions/180242/removing-nullok-from-system-auth-prevents-any-root-password – Hrqls Jan 21 '15 at 10:11
  • 1
    I am hoping `8ZGWAPs9N9EJQ` is not your real password hash. That hash is using the weakest password hashing algorithm supported by the `crypt` library. The salt in that algorithm is way too short, but even worse it truncates passwords at 8 characters. If it was a real password hash you should consider that password compromised by now. Besides more important than changing the password I would disable password authentication in `sshd` completely and mandate the use of keys for all `ssh` logins. – kasperd Dec 10 '16 at 11:30

1 Answers1

3

There is a way to disable user password, nullok module in PAM.

check this link for more information:

http://www.cyberciti.biz/tips/linux-or-unix-disable-null-passwords.html

If that is your case, just change the this bizarre configuration.

====================================================

For your further questions, any changes to PAM configure files will take effect instantly, this may cause you being lock out of the system by mistake. So RHEL provides the authconfig/authconfig-tui tools to do it as the comments saying. If you run it, it shall reset config for you. Check the authconfig man page, before you running it.

pingz
  • 213
  • 1
  • 6
  • Thanks! I indeed see `nullok` in `/etc/pam.d/system-auth` so this seems to be the case – Hrqls Jan 21 '15 at 07:18
  • I edited my question with more info, and 2 more questions – Hrqls Jan 21 '15 at 07:25
  • thanks again! removing `nullok` from the file indeed requires root to login with a real password – Hrqls Jan 21 '15 at 09:51
  • I have some problems with the new root password .. but I posted that as a new question, this time on Unix & Linux : https://unix.stackexchange.com/questions/180242/removing-nullok-from-system-auth-prevents-any-root-password – Hrqls Jan 21 '15 at 10:10
  • @Hrqls I think my answer is wrong, or at least is not how you system is set up, you need to undo your accept. I'm afraid more information about the system is needed. But first, you need check out your /etc/pam.d directory, there is more than one files in it would cause the trouble. – pingz Jan 22 '15 at 08:01
  • thanks for the answer, it taught me a lot, even when it was not the correct answer to the question .. so i will let the upvote remain, but unaccept it as the answer :) – Hrqls Jan 22 '15 at 10:10
  • do you have any idea where the 'auto accept' could come from ? which files in /.etc/pam.d might have some effect on this issue ? – Hrqls Jan 22 '15 at 10:12
  • @Hrqls normally, this kind of behaver only will be found at the system used as a honeypot, so it's really hard to know what's wrong just from your question. Not for this question you may want the workaround like adding a device such as a router before your system. run `grep nullok /etc/pam.d/*` if you want give another try. – pingz Jan 22 '15 at 15:06
  • what is a honeypot ? ... the system has a router before it, so i can shut down the SSH connection easily ... the problem is i want to access the ssh from the office sometimes as well (but others should not :-)) – Hrqls Jan 22 '15 at 15:08
  • @Hrqls if your goal is remote access, then _ssh tunnel_ (just google it, you can find more) is a quite workaround, but your router must support ssh first of course. Honeypot is a tray used for luring attackers. http://en.wikipedia.org/wiki/Honeypot_%28computing%29 – pingz Jan 22 '15 at 15:17