Sunday, September 13, 2009

The Password Rumour for Ubuntu ;)

Just to know    :)

By default

Ubuntu has a root password; they just don't tell the user what it is.
Some versions claim it is a randomly generated one. There is no root password, and this statement mustn't be confused with "the password is carriage return" (a usage RMS tried to popularize at MIT). Take a look at /etc/shadow, if you will (sudo less /etc/shadow). On a default install, the first few lines will look something like this:
root:*:14438:0:99999:7:::
daemon:*:14438:0:99999:7:::
bin:*:14438:0:99999:7:::
sys:*:14438:0:99999:7:::
sync:*:14438:0:99999:7:::
Contrast this with the line containing your user's name.
test:$6$.XQFA5P3$JYH9CpZS00DUAPDXcxc5qzP
2vaNLrGj2TB5dlLj6rEVCOMpTt5XmFH7eL2TiDtX
GApTknWhO6phpGyuac3DCU.:14470:0:99999:7:::

What is different? The second field (the part after the first ":") is a "*" for those system users and a long jumble of numbers and letters for the human users. The "*" means that the user cannot login using a password. The long jumble of numbers and letters? That is a hash of the user's password. In this test user's case, that is a hash of the string "password". If you're interested in the other fields, see man 5 shadow. This password has been encrypted with SHA-512, as evidenced by the $6$ at the start of the hash. See man crypt for a list of other possible prefixes. Note that $1$ means MD5, a hash which has been rather thoroughly broken. Since 8.10, SHA-256 and SHA-512 are available and will be used if you reset your password. If you've still got an MD5 hash in there, it's likely a good idea to do so, if only because it means you haven't changed your password recently enough.
This rumour usually comes up in the context of someone pointing out that if you are a remote attacker, you can guess that root has all the power and so all that is needed is to brute force root's password. In Ubuntu's default setup, this won't work because there is no password that would succeed, regardless how long you spent generating new passwords to try. Instead, the attacker would need to guess the correct combination of user-who-has-sudo-access and password—something exponentially harder. Well-meaning but misguided folks, attempting to protect us Ubuntu users from a false sense of security, then warn us that no, we're wrong, Ubuntu does have a root password. Well, the evidence is in /etc/shadow for all to see. Ubuntu has a locked root account, just the same as if one were to run sudo passwd -l (see man passwd).

 Do you have any suggestion leave as Comments :)

No comments:

Post a Comment