 |
|
|
|
Next: print margin and layout control
|
| Author |
Message |
External
Since: Jun 11, 2004
Posts: 340
|
(Msg. 31) Posted: Thu Jul 12, 2007 4:09 pm
Post subject: Re: Regarding sudo [Login to view extended thread Info.]
Archived from groups: comp>os>linux>setup (more info?)
|
|
|
On 2007-07-12, ArameFarpado <a-farpado.spam DeleteThis @netcabo.pt> wrote:
> Em Quinta, 12 de Julho de 2007 18:52, Keith Keller escreveu:
>
>>> by the way, do we have a point when a user acount is blocked because of
>>> bad paswords? if so, how many wrong passwords are needed?
>>> I know windows does this after 3 or 5 wrong passwords, but never seen
>>> linux do it...
>>
>> Most distros by default do not lock accounts on bad passwords, but it
>> can be easily configured. There is plenty of documentation online and
>> in the man pages.
> Ok, then i would sugest sudoers to use this funtion, or desable the password
> timestamp.
Read the manpage for sudoers to figure out how to disable the timestamp.
>> I'm getting off into speculation, since I don't know in detail how other
>> distros configure their /etc/sudoers file. *If* you have sudo, and
>> *if* you have sudo su, *then* yes, you are vulnerable to trojans in that
>> time period.
>> The solution is to not be stupid when using sudo. It
>> appears that you are looking for a technical solution to what is
>> fundamentally a human problem, and it is not the OS's job to protect the
>> administrator from every conceivable mistake he could make.
>
> the trojan could allready running and waiting to sudo be used.
Of course it could. The solution is to not be stupid when using sudo.
>> It is the
>> admin's job to act in such a way that he doesn't compromise his
>> security; it is the OS's job to ensure that the security measures the
>> admin has configured are enforced.
> home computers are usualy administrated by is owner and usualy only user.
It is still the admin's job to act in such a way that he doesn't
compromise his security. This is the same as with any OS; the problem
being that Windows (for example) has historically made it very easy to
always run as an administrator, and very difficult not to do so. Even
in the situation where sudo has a 5 minute timeout, that's a relatively
small window in which a trojan can do its damage. But it doesn't allow
an admin to do whatever he wants and not worry about security!
As an aside, processes can't actually read the sudo timestamps, so
trojans actually need to attempt a sudo (with sudo -l, for example) in
order to test whether sudo works. Since sudo attempts are logged, a
sysadmin (yes, even the only owner of a home system) can monitor these
attempts to detect a running trojan.
> Facilities like this, lowers security, and i think sudo should not be used
> at least the way some distros are configuring it by default.
You could lobby individual distributions to disable the sudo timestamp,
or you could post instructions on how to configure sudo for this
functionality. (If the user didn't want to be prompted he could sudo su,
with all the caveats that brings.) But I really think you should try to
better understand how all of these mechanisms work together before
commencing such a campaign; otherwise, distribution maintainers will
ignore (or ridicule) your suggestion.
--keith
--
kkeller-usenet DeleteThis @wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information |
|
| Back to top |
|
 | |
External
Since: Jul 05, 2007
Posts: 104
|
(Msg. 32) Posted: Thu Jul 12, 2007 4:12 pm
Post subject: Re: Regarding sudo [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Em Quinta, 12 de Julho de 2007 20:42, John Hasler escreveu:
> Alan Adams writes:
>> If the hashed version contains less information than the original
>> password, doesn't this imply that there is more than one possible
>> password which will hash to the same result?
>
> Yes, of course. As a result the search space is reduced slightly. It is
> still, however, in the bajillions. It's a good tradeoff.
So we have bajillions of diferent passwords all given the same hash?
i don't think so... how does the system knows you typed the exact password
when there is so many others that generates the same hash?
can't be... |
|
| Back to top |
|
| |
External
Since: Jan 06, 2007
Posts: 56
|
(Msg. 33) Posted: Thu Jul 12, 2007 4:12 pm
Post subject: Re: Regarding sudo [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On Thu, 12 Jul 2007 21:12:23 +0100, ArameFarpado wrote:
> Em Quinta, 12 de Julho de 2007 20:42, John Hasler escreveu:
>
>> Alan Adams writes:
>>> If the hashed version contains less information than the original
>>> password, doesn't this imply that there is more than one possible
>>> password which will hash to the same result?
>>
>> Yes, of course. As a result the search space is reduced slightly. It is
>> still, however, in the bajillions. It's a good tradeoff.
>
> So we have bajillions of diferent passwords all given the same hash?
> i don't think so... how does the system knows you typed the exact password
> when there is so many others that generates the same hash?
> can't be...
>
http://en.wikipedia.org/wiki/Hash_collision
Collision resistance is described in the above article as weak or strong,
with strong collision resistance being a desirable feature of any
cryptographic hashing function.
--
Douglas Mayne |
|
| Back to top |
|
| |
External
Since: Jul 22, 2003
Posts: 480
|
(Msg. 34) Posted: Thu Jul 12, 2007 4:12 pm
Post subject: Re: Regarding sudo [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Alan Adams writes:
> If the hashed version contains less information than the original
> password, doesn't this imply that there is more than one possible
> password which will hash to the same result?
I wrote:
> Yes, of course. As a result the search space is reduced slightly. It is
> still, however, in the bajillions. It's a good tradeoff.
ArameFarpado writes:
> So we have bajillions of diferent passwords all given the same hash?
No. You have bajillions of possible passwords only a very small fraction
of which will produce the correct hash. This means that an attacker must
search through jillions of possible passwords before finding one that
produces the correct hash: an impossible task.
> i don't think so... how does the system knows you typed the exact
> password when there is so many others that generates the same hash?
The system never knows that you typed the exact password that you used to
generate tha hash nor do you want it to. It knows only that you typed a
password that generates the correct hash.
--
John Hasler
john DeleteThis @dhh.gt.org
Dancing Horse Hill
Elmwood, WI USA |
|
| Back to top |
|
| |
External
Since: Jul 05, 2007
Posts: 104
|
(Msg. 35) Posted: Thu Jul 12, 2007 5:47 pm
Post subject: Re: Regarding sudo [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Em Quinta, 12 de Julho de 2007 22:26, John Hasler escreveu:
> I wrote:
>> Yes, of course. As a result the search space is reduced slightly. It is
>> still, however, in the bajillions. It's a good tradeoff.
>
> ArameFarpado writes:
>> So we have bajillions of diferent passwords all given the same hash?
>
> No. You have bajillions of possible passwords only a very small fraction
> of which will produce the correct hash. This means that an attacker must
> search through jillions of possible passwords before finding one that
> produces the correct hash: an impossible task.
Then, if the hash could be readed and analised, it would narrow to a few
possibilities... but yes the hash can not be read easly.
>
>> i don't think so... how does the system knows you typed the exact
>> password when there is so many others that generates the same hash?
>
> The system never knows that you typed the exact password that you used to
> generate tha hash nor do you want it to. It knows only that you typed a
> password that generates the correct hash.
Is there an ideia of how many diferent password will colide in the same
hash?
just to have an ideia.
Regards |
|
| Back to top |
|
| |
External
Since: Jul 22, 2003
Posts: 480
|
(Msg. 36) Posted: Thu Jul 12, 2007 5:47 pm
Post subject: Re: Regarding sudo [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
ArameFarpado writes:
> Then, if the hash could be readed and analised, it would narrow to a few
> possibilities...
No it would not.
> Is there an ideia of how many diferent password will colide in the same
> hash? just to have an ideia.
Please read up on how this works. There is plenty about it on the Web.
--
John Hasler
john.DeleteThis@dhh.gt.org
Dancing Horse Hill
Elmwood, WI USA |
|
| Back to top |
|
| |
External
Since: Jul 05, 2007
Posts: 104
|
(Msg. 37) Posted: Thu Jul 12, 2007 6:01 pm
Post subject: Re: Regarding sudo [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Em Quinta, 12 de Julho de 2007 22:18, Keith Keller escreveu:
> in the situation where sudo has a 5 minute timeout, that's a relatively
> small window in which a trojan can do its damage.
could be more then enough
> But it doesn't allow
> an admin to do whatever he wants and not worry about security!
in ubuntu, by default, everything is done with sudo.
> As an aside, processes can't actually read the sudo timestamps, so
> trojans actually need to attempt a sudo (with sudo -l, for example) in
> order to test whether sudo works. Since sudo attempts are logged, a
> sysadmin (yes, even the only owner of a home system) can monitor these
> attempts to detect a running trojan.
Ah, yes. I've made some tests wile ago:
i don't have sudo configured, there isn't a single sudoer in my system, only
apt doesn't let me unistall it, or i would have to unistall more things
that i need (like foomatic), so i try to use it, to see how it reacts.. it
sayd that the "incident will be reported", ok, but reported where?
after that i log in a konsole as root and no warning came...
are you expecting that the commom home user will be checking log files?
you got to see, i'm not worry about expert users or network administradors,
my worries goes to the commom home user, and i am not worried for my
security, but others...
>> Facilities like this, lowers security, and i think sudo should not be
>> used at least the way some distros are configuring it by default.
>
> You could lobby individual distributions to disable the sudo timestamp,
> or you could post instructions on how to configure sudo for this
> functionality.
i might do that, since i post on a blog... but if a distro cames out using
defauts like this and only a few portion read newsgroups or blogs, i can't
do much.
> (If the user didn't want to be prompted he could sudo su,
> with all the caveats that brings.) But I really think you should try to
> better understand how all of these mechanisms work together before
> commencing such a campaign; otherwise, distribution maintainers will
> ignore (or ridicule) your suggestion.
ok. |
|
| Back to top |
|
| |
External
Since: Jun 11, 2004
Posts: 340
|
(Msg. 38) Posted: Thu Jul 12, 2007 6:01 pm
Post subject: Re: Regarding sudo [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On 2007-07-12, ArameFarpado <a-farpado.spam.DeleteThis@netcabo.pt> wrote:
> Em Quinta, 12 de Julho de 2007 22:18, Keith Keller escreveu:
>
>> in the situation where sudo has a 5 minute timeout, that's a relatively
>> small window in which a trojan can do its damage.
> could be more then enough
Yes, it could.
>> But it doesn't allow
>> an admin to do whatever he wants and not worry about security!
> in ubuntu, by default, everything is done with sudo.
In any distro, the admin can modify sudoers, to the point of never
allowing it.
> i don't have sudo configured, there isn't a single sudoer in my system, only
> apt doesn't let me unistall it, or i would have to unistall more things
> that i need (like foomatic), so i try to use it, to see how it reacts.. it
> sayd that the "incident will be reported", ok, but reported where?
In your system logs, most likely in /var/log/ .
> are you expecting that the commom home user will be checking log files?
[...]
> you got to see, i'm not worry about expert users or network administradors,
> my worries goes to the commom home user, and i am not worried for my
> security, but others...
The common home user should check his logs. This applies to any OS, not
just Ubuntu. There are many nice logfile analyzers which will distill
syslog activity in a simple(r) format for a common home user to read.
LogWatch comes with CentOS; I don't know what's available OOTB for
Ubuntu.
--keith
--
kkeller-usenet.DeleteThis@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information |
|
| Back to top |
|
| |
External
Since: Jul 05, 2007
Posts: 104
|
(Msg. 39) Posted: Thu Jul 12, 2007 8:44 pm
Post subject: Re: Regarding sudo [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Em Sexta, 13 de Julho de 2007 00:21, John Hasler escreveu:
>> so, picking up a hash and turning it up-side-down, won't give you the
>> password but it nerrows it to a small list of possibilities.
>
> It does not. Possessing the hash gives you only a target for trial and
> error.
Are you saying that matematical operations, for more complex that they are,
can not be done in reverse? sorry, but i don't buy that, it is against
matematical laws.
>> by the way, do we have a point when a user acount is blocked because of
>> bad paswords?
>
> There is a delay after each login failure. This limits the rate at which
> passwords can be tried.
That is just about 1 or 2 seconds for each e attempts... it should have
bigger delays growing proportional to the number of failure attempts.
Regards |
|
| Back to top |
|
| |
External
Since: Jul 22, 2003
Posts: 480
|
(Msg. 40) Posted: Thu Jul 12, 2007 8:44 pm
Post subject: Re: Regarding sudo [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
ArameFarpado writes:
> Are you saying that matematical operations, for more complex that they
> are, can not be done in reverse? sorry, but i don't buy that, it is
> against matematical laws.
You need to study more math, especially hash functions and cryptography. I
suggest that you start here:
<http://en.wikipedia.org/wiki/Cryptographic_hash_function>
> That is just about 1 or 2 seconds for each e attempts... it should have
> bigger delays growing proportional to the number of failure attempts.
Not needed. There are only 31,536,000 seconds in a year.
--
John Hasler
john.DeleteThis@dhh.gt.org
Dancing Horse Hill
Elmwood, WI USA |
|
| Back to top |
|
| |
External
Since: Jun 11, 2004
Posts: 340
|
(Msg. 41) Posted: Thu Jul 12, 2007 8:44 pm
Post subject: Re: Regarding sudo [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On 2007-07-13, ArameFarpado <a-farpado.spam.DeleteThis@netcabo.pt> wrote:
> Are you saying that matematical operations, for more complex that they are,
> can not be done in reverse? sorry, but i don't buy that, it is against
> matematical laws.
You don't buy that? Okay, here you go: If x and y are real
numbers, and x + y = 42, then what's x? The hashing function
is similar: easy to compute forward, exceedinly difficult to
compute backwards.
--keith
--
kkeller-usenet.DeleteThis@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information |
|
| Back to top |
|
| |
External
Since: Jul 05, 2007
Posts: 104
|
(Msg. 42) Posted: Thu Jul 12, 2007 8:45 pm
Post subject: Re: Regarding sudo [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Em Sexta, 13 de Julho de 2007 01:44, ArameFarpado escreveu:
> That is just about 1 or 2 seconds for each e attempts...
mistype... sorry
That is just about 1 or 2 seconds for each 3 attempts... |
|
| Back to top |
|
| |
External
Since: Jun 19, 2007
Posts: 3
|
(Msg. 43) Posted: Fri Jul 13, 2007 4:36 am
Post subject: Re: Regarding sudo [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
ArameFarpado <a-farpado.s....RemoveThis@netcabo.pt> wrote:
>
> passwords are stored in /etc/passwd or /etc/shadow, encrypted? yes.
> but the decrypting sequence is also stored in the system, or not even the
> system could read it.
UNIX passwords have not been reverse engineered in 40 years.
More than once they have been switched to stronger encryption
to ensure they can't be beaten in under a year by brute force
attacks. If you're the one to beat them, go for it. But you have
already mentioned elsewhere in the thread that you lack the
mathematical background to be able to do so. Yet because you
lack the mathematical background to do so you think someone
else can. No they can't.
> no idea ? google for "recover root password" and you will find how to do it:
>
> --computer A had it's root password forgoten.
>
> --copy files /etc/passwd and /etc/shadow of computer B to a usb-pen.
>
> --boot computer A with a live-cd.
>
> --replace existing files on disk with the ones on the pen.
>
> --now, root password of computer A is the same of computer B
The flaw in your approach - Show me a remote cracker with physical
access to my hosts. With physical access I don't even need the
passwd and shadow files from some other host. All I need to do is
boot from a CDROM and I can edit those files to remove the password.
That approach never tells you a password it just sets it.
Configure sudo to give root without a password and your objections
are valid. Don't do that. Configure sudo to ask for your password,
and how is a cracker that gained access to your account going to
know your passwrd? Only root can set passwords without knowing
the previous one.
> do you guys think i'm some newbie that doesn't know what is talking about?
Absolutely. That's quite clear. You're mixing arguments that require
physical access with ones available to remote crackers among other
flaws. |
|
| Back to top |
|
| |
External
Since: Jul 05, 2007
Posts: 104
|
(Msg. 44) Posted: Fri Jul 13, 2007 10:00 am
Post subject: Re: Regarding sudo [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Em Sexta, 13 de Julho de 2007 04:51, Keith Keller escreveu:
>> Are you saying that matematical operations, for more complex that they
>> are, can not be done in reverse? sorry, but i don't buy that, it is
>> against matematical laws.
>
> You don't buy that? Okay, here you go: If x and y are real
> numbers, and x + y = 42, then what's x?
Doesn't matter at all, if only the hash is tested for match, all possible
results going backwords are valid results
x & y could be, 30+12, 40+2, 10+32, no matter... going this way and after
several operations you will get to lots of valid possibilities
> The hashing function
> is similar: easy to compute forward, exceedinly difficult to
> compute backwards.
but there is no need to find the exact starting point, all of the possible
results are valid.
i really can't see how can a equation be not reversible when it doesn't
matter if you go back by the same path you came forward in the first place.
i see no diference starting with "qwertyuiopeer123" processing to a hash,
picking the hash, reverse the process and get to "m839nsk9" (amoung
others), if both passwords collide in the same hash.
i say: if you know the hash, and know the sequence of operations, you can go
back... you will never know what password was inserted in the beguinning,
but you will get more than one valid passwords, and i bet every result
you'll get will be valid for password.
only the hash is tested for mach !
regards |
|
| Back to top |
|
| |
External
Since: Jul 22, 2003
Posts: 480
|
(Msg. 45) Posted: Fri Jul 13, 2007 10:00 am
Post subject: Re: Regarding sudo [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
ArameFarpado writes:
> i really can't see how can a equation be not reversible when it doesn't
> matter if you go back by the same path you came forward in the first
> place. i see no diference starting with "qwertyuiopeer123" processing to
> a hash, picking the hash, reverse the process and get to "m839nsk9"
> (amoung others), if both passwords collide in the same hash.
Here is an md5sum: 4d5fcfe735a39ff224d7cf2bac0d8aa7 Reverse it. You
have the source for the program and the algorithm is extensively documented
on the Web.
> i say: if you know the hash, and know the sequence of operations, you can
> go back... you will never know what password was inserted in the
> beguinning, but you will get more than one valid passwords, and i bet
> every result you'll get will be valid for password.
People with PhDs in cryptography disagree with you. Post your source code
and you'll soon be rich and famous.
--
John Hasler
john.RemoveThis@dhh.gt.org
Dancing Horse Hill
Elmwood, WI USA |
|
| Back to top |
|
| |
| Related Topics: | Sudo + XDM - Hi all, I've configured sudo to allow my user account to shutdown/reboot and ppp-go/ppp-off. I added them to my app..
sudo problem - Hi, I tried to setup some sudo entries. the entry looks like that: michin michinguin = NOPASSWD: /usr/sbin/chroot..
sudo env variables - Hi I think my sodo works incorrectly. My /etc/sodoers file looks like: Defaults env_reset Defaults:%users..
graphical login? - I have RH 7.3 installed. While installing it I selected to use a graphical login. How do I turn this on and off? I..
usb to serial - hi! So I did insmod usbserial and my usb became /dev/ttyUSB0. Can I make it become /dev/ttyS1 for example? Would that....
kupdated - Hi I've just installed Mandrake 8.2 on my pc, and I've found a process called kupdated is taking a disproportunate (up... |
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
|
|
|
FAQ
Search
Profile
Private Messages
Log in
