Install CD wish: sshd started, no root password scrambling

[Cossins]

Hi there,
What are the pros and cons of having the LiveCD start sshd automatically and to make it not scramble the root password?
This would make it so much easier installing Gentoo on my new server, as I wouldn't have to connect monitor and keyboard to set things up...

Surely, there is a security risk... But how much sensitive data is really stored on a server about to install a new operating system?
It could be noted somewhere that if you want real security, you should change the root password immediately after logging in...

(the default password could be "gentoo" or something)

Thoughts?

- Simon

[MrWorf]

I agree, it would help alot. Especially when installing on old and slow machines. You don't want to hog that screen that you won't be using with the computer anyway.

[PowerFactor]

To be honest the idea scares me a little. For most of us it wouldn't be a much of a security risk at all. I myself woul never leave a newly installed machine open to the internet and noone else usually had physical access to my lan.

But I'm thinking of the total linux newbie who lives in a dorm with a direct connection to the internet. He/she doens't have a hardware firewall, has no idea about rootkits. Somehow he misses/ignores the step about seting the root password in the begining so he has an open ssh server with no password on the root account for the whole time he is doing a stage1 install. So someone finds his box he has a rooted box from the very begining wreaking havok on the network till the admins cut him off. Not very likeley I know but still. It wouldn't take many to give gentoo a bad name with the admins at that university.

How about this instead. I don't know how to implement this but it might not be too hard. Still scramble the root password by default but have an optional configuration floppy which would allow you to specify a root password among possibly other things. Yeah I know just leaving the root password blank would be easier. It's just a thought.

[MrWorf]

But I'm thinking of the total linux newbie who lives in a dorm with a direct connection to the internet. He/she doens't have a hardware firewall, has no idea about rootkits. Somehow he misses/ignores the step about seting the root password in the begining so he has an open ssh server with no password on the root account for the whole time he is doing a stage1 install.

This could be easily fixed by forcing the user at the first logon to change password. As for the floppy, good idea, but all of my machines (servers and desktops) are floppy-less, so it wouldn't work very well in my case. And using a CD-R with custom settings or so wouldn't be very convinient (I know, spelled it wrong ).[/quote]

[Cossins]

MrWolf's suggestion seems like a really good idea! It could easily be fixed with a little bash scripting...

Also, the root password should never be blank... My suggestion was that it could be "gentoo" or "larrythecow" or something, which would make a difference (though not secure enough, still harder to break than blank...)

- Simon

[Lovechild]

You are to lazy to type passwd ?

I really like the security addons on the livecd..

[balk]

Hi there,
What are the pros and cons of having the LiveCD start sshd automatically and to make it not scramble the root password?
This would make it so much easier installing Gentoo on my new server, as I wouldn't have to connect monitor and keyboard to set things up...

Surely, there is a security risk... But how much sensitive data is really stored on a server about to install a new operating system?
It could be noted somewhere that if you want real security, you should change the root password immediately after logging in...

(the default password could be "gentoo" or something)

Thoughts?

- Simon

Can't you hack the iso yourself? I don't have a clue about how the boot cd works but I'm sure it is documented somewhere. Mount the iso, set the rootpasswd to something only you know, setup the network and start sshd. Now burn it and boot from the cd and use your nice ssh connection.

[Cossins]

Lovechild >> The point is that I don't want to connect keyboard and monitor to install Gentoo...

Maybe I'd be able to hack it myself... I'll give it a try once I find the time...

- Simon

[nerdbert]

sshd could just as well be used with a random password, which will be displayed after it has started. So you just write it down, hit ctrl+l and go to the box from which you want to ssh your new setup.

[lisa]

This would make it so much easier installing Gentoo on my new server, as I wouldn't have to connect monitor and keyboard to set things up...

Last I checked the ssh daemon wasn't started automatically. How would you start it with no keyboard?

[puggy]

If you really need this I thnk it wouldn't be a big job to hack the livecd, get it to start sshd on boot and have a password set to your preference. Of course, it relies on the livecd picking up your network card and setting up networking perfectly.

The benefit of doing this yourself is that the security issue is nullified by the fact that you set the password yourself. You could also enable login on the livecd for the first tty as well, then if someone waltzed along and found your machine which your installing over ssh they couldn't just start erasing things, although they could just pull the power cable.



Puggy

[Cossins]

lisa >> With an init script...

[puggy]

lisa >> With an init script...

....which would require hacking of the livecd to implement... and your back to the start again....

Puggy

[madchaz]

I voted no. but the real awnser from me would be yesno

Basicaly, having SSHD installed, but not started, on the live cd, would be interesting.

I know for me it's the very first thing I install. That way I can work remotly. However, having a standard root password is a BAD idea. A lot of people will just keep it. That makes for very weak security. It's not as if it is hard to change it yourself. It's even explained in the procedure how.

What I would like to see is a compromise. Have SSH installed, but we'd have to manualy start it. Say, with a simple command like startssh or something the like.

that way, we need minimum intervention on the machine itself then we can work remotly.

[piquadrat]

Out of the passwd man:

If you wish to immediately expire an account's password, you can use the -e option. This in effect can force a user to change his/her password at the user's next login.

Couldn't this be used to set the password of root to gentoo or something and require him to change it at first login (through ssh or whatever)?

[puggy]

I voted no. but the real awnser from me would be yesno

Basicaly, having SSHD installed, but not started, on the live cd, would be interesting.

I know for me it's the very first thing I install. That way I can work remotly. However, having a standard root password is a BAD idea. A lot of people will just keep it. That makes for very weak security. It's not as if it is hard to change it yourself. It's even explained in the procedure how.

What I would like to see is a compromise. Have SSH installed, but we'd have to manualy start it. Say, with a simple command like startssh or something the like.

that way, we need minimum intervention on the machine itself then we can work remotly.

The livecd has an ssh server. It's the first thing it tells you about once you login and the simple command is

Code: Select all

/etc/init.d/sshd start

after doing

Code: Select all

passwd

of course.

I believe the point of contention here is whether you should be able to put a livecd into a machine with no input or output devices and get it to launch sshd automatically so you can login without any local interaction at all.

Puggy

[puggy]

Out of the passwd man:

If you wish to immediately expire an account's password, you can use the -e option. This in effect can force a user to change his/her password at the user's next login.

Couldn't this be used to set the password of root to gentoo or something and require him to change it at first login (through ssh or whatever)?

What if someone else logged in first? It would only take a few seconds (if that) for an experienced hacker to set something in motion that would echo your password you set when you get around to loging in or whatever.

Puggy

[MrWorf]

What if someone else logged in first? It would only take a few seconds (if that) for an experienced hacker to set something in motion that would echo your password you set when you get around to loging in or whatever

Uhm, then I think you have bigger problems

Btw, would it be possible to pickup on the fact that no keyboard is attached? I seem to remember that the kernel cries a little when no keyboard is present during boot. Now, if we could utilize this information, the livecd would then choose a preset password (gentoo or whatever, maybe specific for each release?) and then FORCE the first login (via SSHd which was started automatically aswell since no keyboard was present) to change the password, and it should NOT allow empty passwords or the same, etc.

Ofcourse, this would probably involve alot more than a simple change to the init scripts, but you get the best of both worlds me thinks.

As an added bonus, the computer should begin beeping if no network settings were picked up, to let you know that sshd is futile at this point.

/MrWorf - Just full of ideas today

[puggy]

Btw, would it be possible to pickup on the fact that no keyboard is attached? I seem to remember that the kernel cries a little when no keyboard is present during boot. Now, if we could utilize this information, the livecd would then choose a preset password (gentoo or whatever, maybe specific for each release?)....

Then it might as well always be set static and you just use it to login locally instead.

...and then FORCE the first login (via SSHd which was started automatically aswell since no keyboard was present) to change the password, and it should NOT allow empty passwords or the same, etc. Ofcourse, this would probably involve alot more than a simple change to the init scripts, but you get the best of both worlds me thinks.

As an added bonus, the computer should begin beeping if no network settings were picked up, to let you know that sshd is futile at this point.

/MrWorf - Just full of ideas today

This makes no difference. If someone else managed to log in before you did then you'd still have your security compromised. The beeping would also be useless probably as most remote installs I suspect will be, errr, remote.

Puggy

[Jimbow]

I've been thinking about doing this hack myself. Clearly we still need the current "secure" LiveCD. But a LiveCD that starts up sshd with a known root password would be mighty handy to have around.

I've got a 200 MHz P III that I run sans keyboard and screen. It is on a local net so I am not worried about badies cracking in. But now, if I want to boot off of the LiveCD (which is very handy on occasion) I've got to haul out a keyboard, monitor and mouse, clear off a space on my desk, etc.

[MrWorf]

Then it might as well always be set static and you just use it to login locally instead.

Uhm, wouldn't that defeat the whole idea of remote logon/install? The difference with a remote install contra local is that when it is remote, the computer probably doesn't have a keyboard or screen. So a static password is less dangerous (but still not good security) than on a local install where someone could potentially do some harm.

Ofcourse, when the password is preset, there should be NO local login, since there is no keyboard.

This makes no difference. If someone else managed to log in before you did then you'd still have your security compromised. The beeping would also be useless probably as most remote installs I suspect will be, errr, remote.

The reason for the beeps was to provide a solution to "what if it doesn't pickup the network when booting?" question. And often, since you physically have to insert the CD somehow, you'd probably be able to hear the beeps. Or you would when you walked back to see why you couldn't logon remotely.

One way to add more security is to somehow make the LiveCD a multisession one, first, you burn the ISO, then you add a second session where the required SSH key is. This way, you could have a remote install. You don't need a floppy nor any kind of loose security. When the LiveCD boots, if it finds the second session (or whatever), it should go into remote mode.

But all in all, I doubt it will be worth the trouble

I've got a 200 MHz P III that I run sans keyboard and screen. It is on a local net so I am not worried about badies cracking in. But now, if I want to boot off of the LiveCD (which is very handy on occasion) I've got to haul out a keyboard, monitor and mouse, clear off a space on my desk, etc.

I know the feeling, did that just some weeks ago

[puggy]

Then it might as well always be set static and you just use it to login locally instead.

Uhm, wouldn't that defeat the whole idea of remote logon/install? The difference with a remote install contra local is that when it is remote, the computer probably doesn't have a keyboard or screen. So a static password is less dangerous (but still not good security) than on a local install where someone could potentially do some harm.

If the password is preset there might as well be no password as it'll make no difference to the hacker. Hence there is no point in only using a static login for the remote install as long as the local interface is logged out on boot.

Ofcourse, when the password is preset, there should be NO local login, since there is no keyboard.

There isn't necessarily no keyboard.

This makes no difference. If someone else managed to log in before you did then you'd still have your security compromised. The beeping would also be useless probably as most remote installs I suspect will be, errr, remote.

The reason for the beeps was to provide a solution to "what if it doesn't pickup the network when booting?" question. And often, since you physically have to insert the CD somehow, you'd probably be able to hear the beeps. Or you would when you walked back to see why you couldn't logon remotely.

Fair enough.

One way to add more security is to somehow make the LiveCD a multisession one, first, you burn the ISO, then you add a second session where the required SSH key is. This way, you could have a remote install. You don't need a floppy nor any kind of loose security. When the LiveCD boots, if it finds the second session (or whatever), it should go into remote mode.

That's not a bad idea, but you might as well just stick your key on the livecds main session, and while your there you might as well set the password,and enable sshd to boot on startup by default.

But all in all, I doubt it will be worth the trouble

It's actually rather easy

I've got a 200 MHz P III that I run sans keyboard and screen. It is on a local net so I am not worried about badies cracking in. But now, if I want to boot off of the LiveCD (which is very handy on occasion) I've got to haul out a keyboard, monitor and mouse, clear off a space on my desk, etc.

I know the feeling, did that just some weeks ago

See above link.

[MrWorf]

If the password is preset there might as well be no password as it'll make no difference to the hacker. Hence there is no point in only using a static login for the remote install as long as the local interface is logged out on boot.

I'm not sure if we mean the same thing. I meant that when in remote mode, there should be no local console at all.

One way to add more security is to somehow make the LiveCD a multisession one, first, you burn the ISO, then you add a second session where the required SSH key is. This way, you could have a remote install. You don't need a floppy nor any kind of loose security. When the LiveCD boots, if it finds the second session (or whatever), it should go into remote mode.

That's not a bad idea, but you might as well just stick your key on the livecds main session, and while your there you might as well set the password,and enable sshd to boot on startup by default.

Okay, that would work too, if you have the means to do it. This will not work from ... ahem ... windows
Also, the multisession part has the advantage that when a new version of the livecd is released, you just tack on the extra session (that you did a couple of versions ago) and presto, new livecd with remote install

[smouge]

would like to see this.

Makes it a lot easier to install a new server remtely, with the option to be able to reboot the server during the install if necessary.

Security? Well we can access the network from outside by citrix and from citrix with putty into the server we are installing.

Right now I'm installing a server a home, doing the partitions and setting up EVMS, but it seems I need to reboor for the kernel to read the new disc table. But i'm stuck because after rebooting the live cd there is no more ssh . Sniff...

[mpsii]

No root scrambling would be great! There is no security in the install cdrom anyway. Scrambling the root password just makes you have to type "passwd root" before you can use other terminals.

sshd started by default would be great for headless installs. The way to find the box is check the dhcp server for an unknown host name and ssh to it. I have done two installs remotely now on boxes I intended to be headless. It would have been nice not to have to hook up the mon/key/mouse just to change the root password and start sshd.

BTW... I had created a boot cd using the provided tools that did this, but the cdrom cracked and I no longer have the image. BUT, doing this by default makes sense. 90% of install is not security conscious anyway...