New user - root password problems

34 respuestas [Último envío]
amenex
Desconectado/a
se unió: 01/03/2015

After spending a month trying other distro's, I searched "free linux distributions" and found Trisquel, downloaded the 32=bit iso, burned it to a DVD, and made a quasi-successful installation in next to to time at all.

However, after downloading & installing about 35 applications, authenticating as I went along with what I thought was my username (george - not Administrator or root) and the password Trisquel asked me to associate with "george" at the beginning of the installation, and while I was configuring HPLIP to communicate with my network printer, only then was I asked for a root password - which I did not have - and the password associated with "george" was of no use.

I searched here, found "Lost Password" and bit the bullet: I re-installed Trisquel.

All went well until the installation finished and I eagerly entered "sudo cat /etc/grub.d/01_PASSWORD" only to be met with:
echo set superuser=grub
echo password grub #####

I'm surprised to find in a linux distro, a five digit numerical password ...

I cannot find any place where ##### works, and when I look in User Accounts, I'm the Administrator.

I am still using my "george" password ... what exactly do I have to do now ? I suppose that if I change my user status from Administrator to "Standard" (which is what I tried the first time around) I'll then be forced to use my root password to authenticate further downloads/installations, but I'm going to wait to hear from other users before I try to find out whether that five-digit number is what I should actually be using.

lembas
Desconectado/a
se unió: 05/13/2010

Hi there! :)

Trisquel uses sudo, so it's your password all the time. There root password is locked by default as you can see in /etc/shadow.

The GRUB password mentioned in /etc/grub.d/01_PASSWORD works in ... GRUB!

Perhaps you should ask specific help with what you're actually trying to do.

amenex
Desconectado/a
se unió: 01/03/2015

Years ago, when I first set up a non-free OS on my laptop PC, one of the very first things it did was ask me to set an administrative password. I know this because that password appears near the top of the page of notes that I kept at the time.

Trisquel 7.0 didn't do this, and even after a second install, I am still befuddled by the oblique manner in which the matter of setting a root password is approached in Trisquel 7.0.

OK - I understand what you're saying is that this teeny little 9999-steps-to-break five-digit grub password is what I am to use to log into the second item displayed in the grub menu on restart. Even that item is not called "enter root console," but something like "perform advanced Trisquel tasks," even though it is just a terminal.

What I now specifically want to know is this: Is that second item in the grub menu the root terminal, and can I use it to set a root password that I can later use to perform these advanced tasks while running in a GUI interface ?

This is a security issue, as that five-digit grub password is hopelessly weak.

oysterboy

I am a member!

I am a translator!

Desconectado/a
se unió: 02/01/2011

Hello amenex,

The following page may clear things up as far as root password management in Ubuntu (and therefore Trisquel) is concerned:

https://help.ubuntu.com/community/RootSudo

The GRUB password is something else entirely.

Magic Banana

I am a member!

I am a translator!

Desconectado/a
se unió: 07/24/2010

The GRUB password only is useful at the bootloader, before any operating system is booted. If you have access to the bootloader interface, then you have a physical access to the computer and there basically is no security (you can boot a live system and do whatever you want). In other words, the GRUB password is useless. I would even say it is an annoyance when a broken system is to be recovered. That is why, on my systems, I commented all lines in /etc/grub.d/01_PASSWORD. Notice that the developers of GNU GRUB do not say otherwise ( https://www.gnu.org/software/grub/manual/grub.html#Security ):

By default, the boot loader interface is accessible to anyone with physical access to the console: anyone can select and edit any menu entry, and anyone can get direct access to a GRUB shell prompt. For most systems, this is reasonable since anyone with direct physical access has a variety of other ways to gain full access, and requiring authentication at the boot loader level would only serve to make it difficult to recover broken systems.

If you want potential robbers of your physical disk to not be able to read your data, then encrypt the /home partition (and the swap partition if you have one). Again: the GRUB password is no security.

Once the operating system is booted, the GRUB password is totally useless. As other users explained you, Trisquel does not have a root user by default. You just precede commands with 'sudo' when a user with administrative privileges has to perform some administrative tasks. His/her password is then asked (it must be a good password: http://www.baekdal.com/insights/password-security-usability) and administrative tasks can only be performed during a short period of time (five minutes is the default I believe) without reentering the password. It is therefore more secure than a root terminal.

Anyway you can get a root terminal if you wish:
$ sudo -i

You can even get a root user if you really want to. Just give that user a password:
$ sudo passwd root

amenex
Desconectado/a
se unió: 01/03/2015

I switched to the "advanced" mode on rebooting by using "grub" as the username and that ##### password, and it presented me with another Trisquel bootup, where I just added my usual "george" password at login ... outwardly nothing different.

Running in standard mode, this is what I had seen:

george@amenex:/etc/sudoers.d$ sudo adduser george sudo
The user `george' is already a member of `sudo'.
george@amenex:/etc/sudoers.d$ sudo adduser root admin
adduser: The group `admin' does not exist.

Running in "advanced" mode, this it what I then got (note the "~" that now appears before $):

george@amenex:~$ sudo adduser george sudo
[sudo] password for george:
The user `george' is already a member of `sudo'.
george@amenex:~$ sudo adduser root admin
adduser: The group `admin' does not exist.
george@amenex:~$ adduser root admin
adduser: Only root may add a user or group to the system.

Looks like a "Catch-22" to me.

Bear in mind that the file /etc/sudoers has the following line:
%admin ALL=(ALL) ALL

But it does have another line that I need to look up:
Defaults mail-badpass

OK ... So I have to run as Administrator all the time. How is that an improvement over *indows, where running the OS as Administrator is strongly deprecated, and running as a User is relatively more secure ? In Trisquel, anyone who breaks my password gets access to sudo by default, so long as he knows enough to prepend "sudo" to any command ? Any time that the Trisquel OS asks me for a root password, that seems to be an unintended bug in the system; when things are working OK, Trisquel asks for "Authentication" where I am to enter my ordinary login password because "sudo" is automatically prepended to the "Authenticate" query. There is no root protection, it seems to me.

That's not to say that I dislike Trisquel ... the Ubuntu USB-pendrive "live" installation works the same way by default, and that scares me, too.

Magic Banana

I am a member!

I am a translator!

Desconectado/a
se unió: 07/24/2010

Your user "george" has administrative privileges as long as he preceded his commands with 'sudo'. Whenever he does that his password is asked unless he executed another command with 'sudo' little time ago. If 'sudo' does not precede a command requiring administrative privileges (the last command you show us) then the command is aborted. You do *not* "run as Administrator all the time". This is what *you* observed. There is *no* problem. Also, there is no "admin" group on your system (the 'adduser' command is pretty clear about that). This is normal.

Of course, if an attacker discovers george's password, then she got administrative privileges too. But the same holds if this attacker discovers root's password in a system where root is the one only user who performs administrative tasks. There is no reason it would be harder to discover george's password rather than root's. Quite the opposite in fact: because he has to remember two (rather than one) passwords, there is a good chance that george chose weaker passwords!

amenex
Desconectado/a
se unió: 01/03/2015

Regarding Magic Banana's comment:

> ... there is a good chance that george chose weaker passwords!

You betcha ! I'm betting that my router's security gives me the degree of protection that I need.

How secure is the "automatic login" feature ? If that has some security, then I can upgrade my "george" password to "awesome" status and not have to leave it pasted at the top of my keyboard ...

And then what happens when my screen locks up while I'm researching a topic on another computer ? When I re-up the screen, does it just go right back to the unlocked state without any password input from me ?

Magic Banana

I am a member!

I am a translator!

Desconectado/a
se unió: 07/24/2010

As I already wrote: there is no security when the attacker has a physical access to the hardware. He can read the disk in a variety of ways... as long as the data are unencrypted. Automatic login and an absence of locking after inactivity make no
difference for a remote attack. As a consequence, they do not really weaken the security.

They are psychological incentives for your co-workers or your family not to look at your data/activities when you are AFK (a little more effort is required: burning a live system on a USB drive for instance).

amenex
Desconectado/a
se unió: 01/03/2015

Just a note: My reply #5 was started before #4 came to light, but finished after that, so I didn't read it before publishing my #5 reply. That said, we seem to be in complete aggreement.

Magic Banana

I am a member!

I am a translator!

Desconectado/a
se unió: 07/24/2010

You should really listen to what people here are telling you: we are in complete *disagreement*:

  • You thought that the GRUB password was too weak and I answered that you do not need any password at all;
  • You thought that administration through 'sudo' is unsafe and I answered that it is more secure because it is limited in time (contrary to logging in as "root").
amenex
Desconectado/a
se unió: 01/03/2015

You may not believe this, but I have been trying to understand the system. I was a long-time (ca. 15 years) debian user who never had any difficulties with using sudo and who doesn't even remember having to do anything as root. I got along fine with sudo apt-get update and sudo apt-get upgrade until each successive incarnation of debian came along, whereupon I found the need for expensive but productive professional help. I would have been better off each time buying a new hard drive, loading the new version of the OS from an iso-derived Installation DVD, and then re-importing all my files from the former hard drive. That is my plan for my laptop PC running a proprietary OS, made more urgent because of its failing hard drive. The drawback (if that is what it is) is the long file-transfer process.

I think what we both are saying is that the "advanced" login in my grub menu is of no use at all, as I can do everthing good or bad that I want by invoking sudo. Mine is a sole-operator installation with administrative tasks needed every few years at worst. That was my debian experience. I used sudo apt-get install only from the debian repository, and that kept me out of trouble until the new distro's came along and I was kicked out of the abandoned ones.

Forty-eight years of dealing with MAD, Fortran, Basic, TruBasic and such development languages have convinced me to stay away from Administrator tasks as much as possible.

Thanks for all your quick and responsive replies.

We should be able to call this thread "solved" now !

Magic Banana

I am a member!

I am a translator!

Desconectado/a
se unió: 07/24/2010

I do not know what is this "advanced" thing. I do not remember having that (and do not want to reboot just to see).

It is common to have an entry where the kernel is booted with the keyword 'single'. It directly brings a root terminal. It is called the "recovery mode" because it aims to repair a broken system. It is useful when all administrative users forgot their passwords too. You should obviously not boot such an entry unless you need to.

Anyway, Trisquel does not have such an entry by default even if, in my opinion, having it helps the recovery from problems and does not weaken the security (no remote access is possible when the bootloader interface is available and there is no security when a physical access is available). That is why, on my systems, I edit /etc/default/grub to comment the following line:
GRUB_DISABLE_RECOVERY="true"

amenex
Desconectado/a
se unió: 01/03/2015

Waitaminnit ... Magic Banana said:

> Anyway you can get a root terminal if you wish:
>> $ sudo -i

That's nice to know, though I'd be scared to use it; that fifteen (or five) minute rule is a good safeguard for us forgetful sudo-user folks.

> You can even get a root user if you really want to. Just give that user a password:
>> $ sudo passwd root

How can that "root" password be any improvement, as there is no "admin" file, and so "root" is just another user, as in "Charlie Root" ? Even with an awesome password, a hacker would do just as well with sudo and my ordinary password as with "root" and that awesome password, but my username and password would be a whole lot easier to break.

That's not to be argumentative ... just pointing out that the legendary linux security is at risk in Trisquel.

Magic Banana

I am a member!

I am a translator!

Desconectado/a
se unió: 07/24/2010

I am confused. Do you like sudo's losing of the administrative permissions after some time? Then why do you want a root user?

"root" cannot be a limited user. It always is the name of a user with *all* permissions. If you give a password to the user "root" then you end up on a system where a user named root can log in and do anything.

"admin" is a group in some GNU/Linux systems. I do not even know its purpose. This group does not exist on Trisquel.

The security in Trisquel is *not* "at risk".

amenex
Desconectado/a
se unió: 01/03/2015

Magic Banana asked:

> I am confused. Do you like sudo's losing of the administrative permissions after some time? Then why do you want a root user?

Aha. Only because of that bug in HPLIP wherein it asked for my root password when it wanted to go to a third-party (actually an HP site) location to retrieve a missing driver. Until that happened, there was no need for root access in the thirty-five Application downloads that preceded it. In the process of trying to satisfy that request, I hosed my Admunstrator status in User Accounts by changing my status from Administrator (which I was appalled to see all of a sudden after all the previous requests for a user password during Authentications) to User, which killed both accounts and precipitated my having to reinstall Trisquel. I have learned at least one lesson: don't install Applications until all these Installation woes have been addressed.

Magic Banana

I am a member!

I am a translator!

Desconectado/a
se unió: 07/24/2010

That driver (I guess it actually is a firmware) certainly is non-free. Otherwise Trisquel would distribute it as well.

SuperTramp83

I am a translator!

Desconectado/a
se unió: 10/31/2014

>If 'sudo' does not precede a command requiring >administrative privileges (the last command you show us) >then the command is aborted. You do *not* "run as >Administrator all the time".

Thanks god for that! I mean that is the essence of the gnu sec!

Doing administrative tasks with sudo is not a problem at all as long as you know what you are doing.
Never login as root and never use the root (there's a reason why root is not enabled) and give your user the least privileges it needs for its computing.
The less privileges the better!
This is the main reason why gnu has had some 40 malwares (
none of it in the wild and almost all designed just for educational/theoretical reasons) and windblowz which gives the normal user God power has had what? 82734982378935729 ?!

p.s - good passwords are necessary (necessary as in FUNDAMENTAL) - make that password very hard to guess or crack!! and make it complex and long - a psswd long 16 characters is much much harder to crack then one with 8 characters. The difference is the short one, if it is not very complex, can be cracked is hours while the long and complex one can take months! or never get cracked at all..

Magic Banana

I am a member!

I am a translator!

Desconectado/a
se unió: 07/24/2010

Here is a link about what is a good password (not only hard to break, i.e. long, but easy to remember too): http://www.baekdal.com/insights/password-security-usability

Here is a way to generate a good password with three American-English words of at most five characters each (you can obviously change the command to get more words/characters or to pick the words in another dictionary):
$ cut -d / -f 1 /usr/share/hunspell/en_US.dic | awk 'length <= 5' | shuf | head -3 | tr '\n' ' '

You can execute the command repeatedly until it outputs a password you like. Here are he five first passwords it has just output on my machine:
Ghent deign Anson
fez Aldo pleat
Swiss duchy Ebony
Timmi green Cher
toyer class Rossi

rakyi
Desconectado/a
se unió: 05/09/2014

According to Bruce Schneier, "string together individual words like 'correcthorsebatterystaple' -- is no longer good advice".

https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

Magic Banana

I am a member!

I am a translator!

Desconectado/a
se unió: 07/24/2010

I am not convinced. Let say that the attacker knows that I use three random words among those with at most five characters in /usr/share/hunspell/en_US.dic (that is quite a piece of information!). There are 12266 such words:

$ cut -d / -f 1 /usr/share/hunspell/en_US.dic | awk 'length <= 5' | wc -l
12266

Assuming shuf's shuffle really is random (it actually is pseudo-random but how on earth can the attacker knows anything on the state of my system when I created my password?), that make 12266 * 12265 * 12264 = more than 1845 billions possible passwords. Considering "eight million guesses per second", that is 2.7 days to try them all; about half that (still more than a day) to find mine. I do not think the data behind my password are worth such an effort (how much energy is consumed to try eight million passwords for more than a day?).

If your data are worth that, then use four words! Keeping at most five characters per word, that makes 12266 * 12265 * 12264 * 12263 = more than 22,625,562 billions possible passwords. With the total knowledge of the generation process and the same crazy guessing power as considered earlier, it will take about 45 years to find the password. Almost twice the times it takes to find "tlpWENT2m" (example given in https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html ) by brute-force on the characters (assuming an alphabet of 62 characters: all Latin letters, capital letters, and the numbers).

Anyway, Bruce Schneier's way to generate a password is good too. The question is: is it easier to remember three/four random words spelled normally or a full sentence + arbitrary transformations of the initials (into capital letters, numbers and special characters)? I do not know.

onpon4
Desconectado/a
se unió: 05/30/2012

I recently started using KeePassX. It's much easier to memorize one absurdly long password than dozens of moderate-length passwords.

The only weakness of this method is that your passwords end up on your clipboard. Not a problem if, like me, you reject all dynamically loaded JavaScript, but if you don't, that JavaScript code can pull your password from your clipboard. So I'm in the habit of selecting some word or character on the page and copying it to the clipboard after I've entered a password.

rakyi
Desconectado/a
se unió: 05/09/2014

Thank you for taking the time to respond. I did a bit more research on the topic and now I'm not convinced either. I wonder why he says what he says then.

I have been using "correcthorsebatterystaple" method before and from now on I will resume doing so.

SuperTramp83

I am a translator!

Desconectado/a
se unió: 10/31/2014

use a word or two words that are in no dictionary in the world (it is easy to come with a few trust me), use numbers and special characters also.
I can come up with a pretty good passwd and remember it straight away in just a few minutes of time (one or two minutes).

example - it would be no good for magicbanana to use: b@n@n@123

easy to remember but easy to crack also!

much better and yet easy to remember:
13bononKJoj@13

this way you remember the sound of the word bononkioia (it works good for me) and a number .. easy and rather safe.
Sure it is better to make it more complex than that!

alimiracle
Desconectado/a
se unió: 01/18/2014

for generate a good password
I make this
http://sourceforge.net/projects/rosepasswordsgenerator/

Magic Banana

I am a member!

I am a translator!

Desconectado/a
se unió: 07/24/2010

How is it generated?

alimiracle
Desconectado/a
se unió: 01/18/2014

its based on random numbers Algorithm
and Time is used as seed

Magic Banana

I am a member!

I am a translator!

Desconectado/a
se unió: 07/24/2010

Given the conversation here, my question was "is every single character random?" (very hard to remember) or "a concatenation of words?" or "based on words + substitutions" or "sentence-based?" or ... ?

alimiracle
Desconectado/a
se unió: 01/18/2014

> Given the conversation here, my question was "is every single character random?" (very hard to remember) or "a concatenation of words?" or "based on words
yes every single character random
its 2 version
"Letters and numbers" and "letters only"
and It can determine the length
BTW, You have a strange name

onpon4
Desconectado/a
se unió: 05/30/2012

There are already tons of programs that do that. KeePassX, for example.

Magic Banana

I am a member!

I am a translator!

Desconectado/a
se unió: 07/24/2010

Who needs a specific program? Just use /dev/urandom (here for 12 alphanumeric characters):
$ tr -cd a-zA-Z0-9 < /dev/urandom | head -c 12

alimiracle
Desconectado/a
se unió: 01/18/2014

I made this when I was a user' to Solaris

Magic Banana

I am a member!

I am a translator!

Desconectado/a
se unió: 07/24/2010

Solaris has had /dev/urandom for more than 12 years: https://blogs.oracle.com/yenduri/entry/dev_random_in_solaris

alimiracle
Desconectado/a
se unió: 01/18/2014

> Solaris has had /dev/urandom for more than 12 years
!!!

I did not notice this hahahaha
BTW, I miss Solaris

amenex
Desconectado/a
se unió: 01/03/2015

OK -I'm convinced. The only reason for worrying about root passwords did not come up after my second DVD-install of Trisquel - That pesky HPLIP application never asked for it, and I got CUPS configured w/o any hassles.

So if any other application wants a root password, I'll stop that install or remove it.

Until then, sudo and my router's firewall should suit me fine.

My inmotionhosting ISP has a password-generating engine that can produce some nasty-looking swearwords, full of all the characters on my keyboard ...

Thanks to all for this spirited discussion.