Very Computer

Hi,

This has been bugging me ever since I installed Red Hat 4.0.

My system is used by me alone, so I do not need to have password
security for my login's or su's.  With RH 3.0.3, I simply editted out
the password fields from /etc/passwd, and it worked fine.  The 'login'
program asked for a username, I simply typed that in and hit Return.
'login' did not ask for a password, and simply accepted the login.
Similarly, the 'su' program would also not bother to ask.

With 4.0, even if I set the password to null, the login and su programs
ask for a password, even though there isn't one.  They will accept
either a null string or *any* string as a valid password.

Is this a bug?  Is there any way to turn this off, as in other UNIX
variants that I've used in the past?

- Jay Ts

And if you want to live without passwords, just how
hard is it to hit return when your prompted for a
password?

Quote:> This has been bugging me ever since I installed Red Hat 4.0.

> My system is used by me alone, so I do not need to have password
> security for my login's or su's.  With RH 3.0.3, I simply editted out
> the password fields from /etc/passwd, and it worked fine.  The 'login'
> program asked for a username, I simply typed that in and hit Return.
> 'login' did not ask for a password, and simply accepted the login.
> Similarly, the 'su' program would also not bother to ask.

> With 4.0, even if I set the password to null, the login and su programs
> ask for a password, even though there isn't one.  They will accept
> either a null string or *any* string as a valid password.

Quote from README:

The sudo philosophy: Sudo is a program designed to allow a sysadmin to
give limited root privileges to users and log root activity.  The
basic philosophy is to give as few privileges as possible but still
allow people to get their work done.

Good Luck, wish I could help more, but I don't fully understand all that the
PAM system does as yet.

/*************************************************************
 David Mandala      Them Productions       San Francisco, CA

*************************************************************/

If someone were to break into my system, there is really nothing here
that I would mind losing.  In fact, they could just ask for it, and I
would probably just give it to them!

The most damage they could do here would be to cause me to reinstall
Linux and restore from my recent backup.  So what?

Even if someone were to break into my ISP account, what are they going
to do?  Change my account password?  I would find out very quickly, and
fix it.  Steal some hours on my account?  Well, it happens that my home
page is the "account stats" page at my ISP!  I would notice, and quickly
change my password at the ISP.

OK, I am not a newcomer to UNIX/Linux.  (How many of you were using UNIX
Version 7 in 1981?  Actually, that is not a rhetorical question -- I'm
curious!)  I understand the value of having good security where it is a
benefit.  The thing is, having security where it is not useful simply
makes the computer harder to use.  That is not a benefit, just a "pain".

What really bugs me about my current problem is that I am asked for a
password when there *isn't* one, and I am very sure I don't *want* one!

It is really stupid!  I can type *anything* at the password prompt, and
it will be accepted.

Now, if you think about it, this is actually EXTREMELY POOR SECURITY!
What if someone breaks into a system with multiple users and a *need*
for security, and simply edits out the root password.  The superuser is
probably in the habit of quickly and *correctly* typing in the root
password, and will not even notice that there's something wrong!!!

Great, now in my effort to run a security-free Linux system, I've
discovered a (minor) security hole in Linux.  Should I report this?
Well, I just did ... consider this the report.

Hopefully, they will *not* fix this by ABSOLUTELY REQUIRING passwords in
all cases!  Please! ;-)

The way it worked in Interactive 386/ix was there was a config file for
the 'login' program, where I could simply set

PASSWDREQ=NO

That was very nice!

- Jay Ts

Quote:>With 4.0, even if I set the password to null, the login and su programs
>ask for a password, even though there isn't one.  They will accept
>either a null string or *any* string as a valid password.

If you want the shell to be under your user id, have inittab run a
script that does su your_id -c /bin/bash

Turn off telnet and other net access to your computer, leave a real
password on your account, and the machine will be about as secure as you
appear to want it to be.

--
      Artificial Intelligence stands no chance against Natural Stupidity.
                GAT d- -p+(--) c++++ l++ u++ t- m--- W--- !v
                     b+++ e* s-/+ n-(?) h++ f+g+ w+++ y*

bye Paul

A few years ago here at OSU, a friend of mine was upgrading his linux
box to slackware 1.2 or something like that. At the time,
slackware did not force you to set a root password. While he was
getting things up and running, he had forgotten to set it.

Now, he was logged in to a SLIP server with dynamic addresses, reading
his
email. While he was doing this, someone found his IP address, logged in
as
root, put a password sniffer on his user account, and got his user
password.

This turned out to be the same password that he used on the departmental
machines. The cracker then logged into the departmental machines, and by
exploited a few SunOS security holes, gained root access. He then and
installed another password sniffer.

By the time things were sorted out, this individual had the unencrypted
passwords of over 250 users, including the root password!

If I were you, I'd at least spend some time restricting services in
inetd.conf.

--

| Department of Electrical Engineering, The Ohio State University |
|                                                                 |
| http://er4www.eng.ohio-state.edu/~iversonm/                     |

Can I assume that nobody knows how to disable the login passwords
*completely* (including the prompt for a null password) from RH 4.0?

I would still like to do this...

Jay Ts

I have a linux system that I use on-line, and six times in the past
month, people have tried to log-on to my system across the internet.

Fortunately, I have lots-a-loggin turned on, and I notice such messages.

Oh, and BTW, I use PPP with dynamic IP assignment as well.

Quote:>The most damage they could do here would be to cause me to reinstall
>Linux and restore from my recent backup.  So what?

As a side note, why is it that most of the "random" FTP probes into
my system try to log-on using warez?

John S.