Password Prompt - Turning it Off in RH 4.0?

Password Prompt - Turning it Off in RH 4.0?

Post by Jay T » Sat, 04 Jan 1997 04:00:00



Hi,

This has been bugging me ever since I installed Red Hat 4.0.

My system is used by me alone, so I do not need to have password
security for my login's or su's.  With RH 3.0.3, I simply editted out
the password fields from /etc/passwd, and it worked fine.  The 'login'
program asked for a username, I simply typed that in and hit Return.
'login' did not ask for a password, and simply accepted the login.
Similarly, the 'su' program would also not bother to ask.

With 4.0, even if I set the password to null, the login and su programs
ask for a password, even though there isn't one.  They will accept
either a null string or *any* string as a valid password.

Is this a bug?  Is there any way to turn this off, as in other UNIX
variants that I've used in the past?

- Jay Ts

 
 
 

Password Prompt - Turning it Off in RH 4.0?

Post by lilo » Sat, 04 Jan 1997 04:00:00



> Hi,

> This has been bugging me ever since I installed Red Hat 4.0.

> My system is used by me alone, so I do not need to have password
> security for my login's or su's.  With RH 3.0.3, I simply editted out
> the password fields from /etc/passwd, and it worked fine.  The 'login'
> program asked for a username, I simply typed that in and hit Return.
> 'login' did not ask for a password, and simply accepted the login.
> Similarly, the 'su' program would also not bother to ask.

I see that your message was posted from within
linux. I don't know about you but I don't want
just anybody logging onto my machine while I'm
connected to my isp. And if you have no password
on any of your machine accounts, anybody who sniffs
out your ip number can easily login, do anything they
want, maybe even grab the password to your isp
account.

And if you want to live without passwords, just how
hard is it to hit return when your prompted for a
password?

 
 
 

Password Prompt - Turning it Off in RH 4.0?

Post by Subhas R » Sat, 04 Jan 1997 04:00:00



Quote:> This has been bugging me ever since I installed Red Hat 4.0.

> My system is used by me alone, so I do not need to have password
> security for my login's or su's.  With RH 3.0.3, I simply editted out
> the password fields from /etc/passwd, and it worked fine.  The 'login'
> program asked for a username, I simply typed that in and hit Return.
> 'login' did not ask for a password, and simply accepted the login.
> Similarly, the 'su' program would also not bother to ask.

> With 4.0, even if I set the password to null, the login and su programs
> ask for a password, even though there isn't one.  They will accept
> either a null string or *any* string as a valid password.

Instead of fighting security mechanisms, you can use sudo program.
Download sudo-1.5.3 rpm from redhat's ftp site. I found it handy.

Quote from README:

The sudo philosophy: Sudo is a program designed to allow a sysadmin to
give limited root privileges to users and log root activity.  The
basic philosophy is to give as few privileges as possible but still
allow people to get their work done.

 
 
 

Password Prompt - Turning it Off in RH 4.0?

Post by David Manda » Sat, 04 Jan 1997 04:00:00





>> > Hi,

>> > This has been bugging me ever since I installed Red Hat 4.0.

>> > My system is used by me alone, so I do not need to have password
>> > security for my login's or su's.  With RH 3.0.3, I simply editted out
>> > the password fields from /etc/passwd, and it worked fine.  The 'login'
>> > program asked for a username, I simply typed that in and hit Return.
>> > 'login' did not ask for a password, and simply accepted the login.
>> > Similarly, the 'su' program would also not bother to ask.

You'll need to read up on the pam.conf and the pam authorization scheme. I
don't quite understand it but I have found it overrides almost every security
measure on the system (tries to make it stronger).
For example the .rhosts files did not work until I discovered the necessary
entry that needed to be changed in the pam.conf file.

Good Luck, wish I could help more, but I don't fully understand all that the
PAM system does as yet.

/*************************************************************
 David Mandala      Them Productions       San Francisco, CA

*************************************************************/

 
 
 

Password Prompt - Turning it Off in RH 4.0?

Post by Jay T » Sat, 04 Jan 1997 04:00:00




> > Hi,

> > This has been bugging me ever since I installed Red Hat 4.0.

> > My system is used by me alone, so I do not need to have password
> > security for my login's or su's.  With RH 3.0.3, I simply editted out
> > the password fields from /etc/passwd, and it worked fine.  The 'login'
> > program asked for a username, I simply typed that in and hit Return.
> > 'login' did not ask for a password, and simply accepted the login.
> > Similarly, the 'su' program would also not bother to ask.

> I see that your message was posted from within
> linux. I don't know about you but I don't want
> just anybody logging onto my machine while I'm
> connected to my isp. And if you have no password
> on any of your machine accounts, anybody who sniffs
> out your ip number can easily login, do anything they
> want, maybe even grab the password to your isp
> account.

As I acknowledged in my reply to the email copy of this, I appreciate
your concern very much.  However, the likelihood of someone being able
to do this is extremely minor, considering that I have a dynamic IP
address, which changes every time I call up.

If someone were to break into my system, there is really nothing here
that I would mind losing.  In fact, they could just ask for it, and I
would probably just give it to them!

The most damage they could do here would be to cause me to reinstall
Linux and restore from my recent backup.  So what?

Even if someone were to break into my ISP account, what are they going
to do?  Change my account password?  I would find out very quickly, and
fix it.  Steal some hours on my account?  Well, it happens that my home
page is the "account stats" page at my ISP!  I would notice, and quickly
change my password at the ISP.

OK, I am not a newcomer to UNIX/Linux.  (How many of you were using UNIX
Version 7 in 1981?  Actually, that is not a rhetorical question -- I'm
curious!)  I understand the value of having good security where it is a
benefit.  The thing is, having security where it is not useful simply
makes the computer harder to use.  That is not a benefit, just a "pain".

What really bugs me about my current problem is that I am asked for a
password when there *isn't* one, and I am very sure I don't *want* one!

It is really stupid!  I can type *anything* at the password prompt, and
it will be accepted.

Now, if you think about it, this is actually EXTREMELY POOR SECURITY!
What if someone breaks into a system with multiple users and a *need*
for security, and simply edits out the root password.  The superuser is
probably in the habit of quickly and *correctly* typing in the root
password, and will not even notice that there's something wrong!!!

Great, now in my effort to run a security-free Linux system, I've
discovered a (minor) security hole in Linux.  Should I report this?
Well, I just did ... consider this the report.

Hopefully, they will *not* fix this by ABSOLUTELY REQUIRING passwords in
all cases!  Please! ;-)

The way it worked in Interactive 386/ix was there was a config file for
the 'login' program, where I could simply set

PASSWDREQ=NO

That was very nice!

- Jay Ts

 
 
 

Password Prompt - Turning it Off in RH 4.0?

Post by John Hende » Mon, 06 Jan 1997 04:00:00



Quote:>With 4.0, even if I set the password to null, the login and su programs
>ask for a password, even though there isn't one.  They will accept
>either a null string or *any* string as a valid password.

Why don't you just spawn bash from inittab instead of getty? Problem
solved. ;)

If you want the shell to be under your user id, have inittab run a
script that does su your_id -c /bin/bash

Turn off telnet and other net access to your computer, leave a real
password on your account, and the machine will be about as secure as you
appear to want it to be.

--
      Artificial Intelligence stands no chance against Natural Stupidity.
                GAT d- -p+(--) c++++ l++ u++ t- m--- W--- !v
                     b+++ e* s-/+ n-(?) h++ f+g+ w+++ y*

 
 
 

Password Prompt - Turning it Off in RH 4.0?

Post by v.. » Tue, 07 Jan 1997 04:00:00




>> Hi,

>> This has been bugging me ever since I installed Red Hat 4.0.

>> My system is used by me alone, so I do not need to have password
>> security for my login's or su's.  With RH 3.0.3, I simply editted out
>> the password fields from /etc/passwd, and it worked fine.  The 'login'
>> program asked for a username, I simply typed that in and hit Return.
>> 'login' did not ask for a password, and simply accepted the login.
>> Similarly, the 'su' program would also not bother to ask.

Well just copy the old login and su programs that don't ask for a password
when there is none. You can get them from any linux distribution.

bye Paul

 
 
 

Password Prompt - Turning it Off in RH 4.0?

Post by Michael Andrew Iverso » Wed, 08 Jan 1997 04:00:00





> > > Hi,

> > > This has been bugging me ever since I installed Red Hat 4.0.

> > I see that your message was posted from within
> > linux. I don't know about you but I don't want
> > just anybody logging onto my machine while I'm
> > connected to my isp. And if you have no password
> > on any of your machine accounts, anybody who sniffs
> > out your ip number can easily login, do anything they
> > want, maybe even grab the password to your isp
> > account.

> As I acknowledged in my reply to the email copy of this, I appreciate
> your concern very much.  However, the likelihood of someone being able
> to do this is extremely minor, considering that I have a dynamic IP
> address, which changes every time I call up.

A little story:

A few years ago here at OSU, a friend of mine was upgrading his linux
box to slackware 1.2 or something like that. At the time,
slackware did not force you to set a root password. While he was
getting things up and running, he had forgotten to set it.

Now, he was logged in to a SLIP server with dynamic addresses, reading
his
email. While he was doing this, someone found his IP address, logged in
as
root, put a password sniffer on his user account, and got his user
password.

This turned out to be the same password that he used on the departmental
machines. The cracker then logged into the departmental machines, and by
exploited a few SunOS security holes, gained root access. He then and
installed another password sniffer.

By the time things were sorted out, this individual had the unencrypted
passwords of over 250 users, including the root password!

If I were you, I'd at least spend some time restricting services in
inetd.conf.

--

| Department of Electrical Engineering, The Ohio State University |
|                                                                 |
| http://er4www.eng.ohio-state.edu/~iversonm/                     |

 
 
 

Password Prompt - Turning it Off in RH 4.0?

Post by Jay T » Thu, 09 Jan 1997 04:00:00






> > > > This has been bugging me ever since I installed Red Hat 4.0.
> > > > [login program prompts for password, even when there isn't one!]
> > > I don't know about you but I don't want
> > > just anybody logging onto my machine while I'm
> > > connected to my isp.

> [story into snipped]
> Now, he was logged in to a SLIP server with dynamic addresses, reading his
> email. While he was doing this, someone found his IP address, logged in as
> root, put a password sniffer on his user account, and got his user
> password. [etc.]
> If I were you, I'd at least spend some time restricting services in
> inetd.conf.

Better yet, I'm not running inetd at all now, so I really, really, don't
need to use account passwords on my system.  But I'm still stuck with
them.

Can I assume that nobody knows how to disable the login passwords
*completely* (including the prompt for a null password) from RH 4.0?

I would still like to do this...

Jay Ts

 
 
 

Password Prompt - Turning it Off in RH 4.0?

Post by John Steve » Sat, 01 Feb 1997 04:00:00




>As I acknowledged in my reply to the email copy of this, I appreciate
>your concern very much.  However, the likelihood of someone being able
>to do this is extremely minor, considering that I have a dynamic IP
>address, which changes every time I call up.

Sorry, this turns out not to be the case.

I have a linux system that I use on-line, and six times in the past
month, people have tried to log-on to my system across the internet.

Fortunately, I have lots-a-loggin turned on, and I notice such messages.

Oh, and BTW, I use PPP with dynamic IP assignment as well.

Quote:>The most damage they could do here would be to cause me to reinstall
>Linux and restore from my recent backup.  So what?

Hey, security is up to you.  But please don't think that just because
your IP Address changes everytime you log onto your ISP, you are safe.

As a side note, why is it that most of the "random" FTP probes into
my system try to log-on using warez?

John S.

 
 
 

1. turn off pppd.tdb with pppd-2.4.0

Hi,

since version 2.4.0 the ppp deamon creates something like a link
database under /var/run named pppd.tbd.
I there away to turn this off ? I do not need and want this file, but I
need pppd-2.4.0.

Any idea ?

Matthias
--
-------------------------------------------------
\ Matthias Fuchs                                 \
 \ esd electronic system design Gmbh              \
  \ Vahrenwalder Stra?e 205                        \
   \ D-30165 Hannover                               \

     \ phone: +49-511-37298-0                         \
      \ fax:   +49-511-37298-68                        \
       --------------------------------------------------

2. 95 to Unix opinions

3. Need to turn off echo for password input

4. Netscape/ppp problem

5. turning off the 6 alphanumeric password rule

6. apsfilter - where'd it go?

7. Need to turn Loopback off in RH 5.1

8. lightweight replacement for rsh with keyed hash authentication?

9. How to turn off echo when read password from user ?

10. turn off:force new user to change login password

11. Turning off Shadow Passwords

12. RH 6.0 How to turn off autoprobe during install ?

13. Can I turn off the password authentication security?