Marv Soloff <msoloff@worldnet.att.net> wrote:
> paul wisehart wrote:
>> Delete the hashed password entry for root. (Not the whole line, just
>> the part thats represents the password.)
>>
>> Now when you reboot, root has a blank password.
>>
>> note: You should really only do that if you just forgot your password,
>> not if you got cracked.

> Does not work - used vi to delete hashes on both etc/passwd and
> etc/shadow. Thanks anyway.

Then check that root has a valid shell:

$ cat /etc/passwd | grep root
root:x:0:0::/root:/bin/bash

$ fgrep bash /etc/shells
/bin/bash

$ file /bin/bash
/bin/bash: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),
dynamically linked (uses shared libs), stripped

And just to make sure, verify that some files have not been tampered with:

$ md5sum /sbin/agetty
847fbda23fabc4ffcf707e3a4f9137c2 /sbin/agetty

$ md5sum /bin/login
4156e28bcd2dc3de538e248acdb3e661 /bin/login

$ md5sum /bin/bash
ec9b6ff6623ce2fe84bed8f8bdd45432 /bin/bash

The above checksums are for a Slackware 10.2 installation, you should have
the same checksums.

regards Henrik
--
The address in the header is only to prevent spam. My real address is:
hc8(at)uthyres.com Examples of addresses which go to spammers:
root@variousus.net root@localhost

Henrik Carlqvist wrote:
> Marv Soloff <msoloff@worldnet.att.net> wrote:
>
>>paul wisehart wrote:
>>
>>>Delete the hashed password entry for root. (Not the whole line, just
>>>the part thats represents the password.)
>>>
>>>Now when you reboot, root has a blank password.
>>>
>>>note: You should really only do that if you just forgot your password,
>>>not if you got cracked.
>
>
>>Does not work - used vi to delete hashes on both etc/passwd and
>>etc/shadow. Thanks anyway.
>
>
> Then check that root has a valid shell:
>
> $ cat /etc/passwd | grep root
> root:x:0:0::/root:/bin/bash
>
> $ fgrep bash /etc/shells
> /bin/bash
>
> $ file /bin/bash
> /bin/bash: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),
> dynamically linked (uses shared libs), stripped
>
> And just to make sure, verify that some files have not been tampered with:
>
> $ md5sum /sbin/agetty
> 847fbda23fabc4ffcf707e3a4f9137c2 /sbin/agetty
>
> $ md5sum /bin/login
> 4156e28bcd2dc3de538e248acdb3e661 /bin/login
>
> $ md5sum /bin/bash
> ec9b6ff6623ce2fe84bed8f8bdd45432 /bin/bash
>
> The above checksums are for a Slackware 10.2 installation, you should have
> the same checksums.
>
> regards Henrik

Thanks Henrik - will check the hashes this afternoon. It's not a huge
crisis - I have two other 10.2 drives. (I use a front load tray system
for all my machines. It takes about two minutes to remove a HD tray,
snap in another one or another OS, boot up and go.)

Regards,

Marv

Marv Soloff <msoloff@worldnet.att.net> wrote:
> Does not work - used vi to delete hashes on both etc/passwd and
> etc/shadow. Thanks anyway.

The password file should look like:
root:x:0:0:root:/root:/bin/bash
^
This 2nd field MUST be "x" or "*" or another invalid password.
It directs login to use the shadow file instead!

Then the shadow entry will look like
root:<encrypted_password>:13331::::::
(the numbers in field 3 and further will be different, this is "last change"
and NO value for all expiry fields).

But anyway, to remove the root password, remove all between the FIRST and the
SECOND : chars, leave the rest of the line alone (and make sure the passwd file
still has got a "x" in field 2).
One thing to check is: there MUST be 8 : chars (and 6 in the passwd file),
login gets rather confused if the number of fields (: is the field separator)
is wrong!
--
************************************************** ******************
** Eef Hartman, Delft University of Technology, dept. EWI/TW **
** e-mail: E.J.M.Hartman@math.tudelft.nl, fax: +31-15-278 7295 **
** snail-mail: P.O. Box 5031, 2600 GA Delft, The Netherlands **
************************************************** ******************

Eef Hartman <E.J.M.Hartman@math.tudelft.nl> wrote:
> The password file should look like:
> root:x:0:0:root:/root:/bin/bash
> ^
> This 2nd field MUST be "x" or "*" or another invalid password.
> It directs login to use the shadow file instead!

If I understand things right the password field in /etc/passwd can have
the following contents:

:x: Specifies that the password is hidden in /etc/shadow
:*: Used to lock an account. No password will match this.
:: Empty password
:3NcryptedSTrN: Encrypted password, having this in passwd instead of
shadow means that non root users are able to read it,
but at least it is encrypted.

Maybe something of the above need to be corrected, I am no expert of how
shadow passwords work.

regards Henrik
--
The address in the header is only to prevent spam. My real address is:
hc8(at)uthyres.com Examples of addresses which go to spammers:
root@variousus.net root@localhost

Henrik Carlqvist <Henrik.Carlqvist@deadspam.com> wrote:
> Maybe something of the above need to be corrected, I am no expert of how
> shadow passwords work.

You could well be right, but on our old HP's (non-Linux, but System-V
Unix) the "use secure password file" char was *, it was only in Linux
that I first saw the x there.

Anyway, either * or x in the /etc/shadow file will "lock" the account,
making NO login at all possible anymore, and the man page for
passwd(5) gives:
> These days many people run some version of the shadow password suite,
> where /etc/passwd has *'s instead of encrypted passwords, and the
> encrypted passwords are in /etc/shadow which is readable by the
> superuser only.

> Regardless of whether shadow passwords are used, many sysadmins use
> a star in the encrypted password field to make sure that this user
> can not authenticate him- or herself using a password.
> (But see the Notes below.)

So this man page still talks about * in the encrypted password field in
/etc/passwd
--
************************************************** ******************
** Eef Hartman, Delft University of Technology, dept. EWI/TW **
** e-mail: E.J.M.Hartman@math.tudelft.nl, fax: +31-15-278 7295 **
** snail-mail: P.O. Box 5031, 2600 GA Delft, The Netherlands **
************************************************** ******************

Henrik Carlqvist wrote:
> Marv Soloff <msoloff@worldnet.att.net> wrote:
>
>>paul wisehart wrote:
>>
>>>Delete the hashed password entry for root. (Not the whole line, just
>>>the part thats represents the password.)
>>>
>>>Now when you reboot, root has a blank password.
>>>
>>>note: You should really only do that if you just forgot your password,
>>>not if you got cracked.
>
>
>>Does not work - used vi to delete hashes on both etc/passwd and
>>etc/shadow. Thanks anyway.
>
>
> Then check that root has a valid shell:
>
> $ cat /etc/passwd | grep root
> root:x:0:0::/root:/bin/bash
>
> $ fgrep bash /etc/shells
> /bin/bash
>
> $ file /bin/bash
> /bin/bash: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),
> dynamically linked (uses shared libs), stripped
>
> And just to make sure, verify that some files have not been tampered with:
>
> $ md5sum /sbin/agetty
> 847fbda23fabc4ffcf707e3a4f9137c2 /sbin/agetty
>
> $ md5sum /bin/login
> 4156e28bcd2dc3de538e248acdb3e661 /bin/login
>
> $ md5sum /bin/bash
> ec9b6ff6623ce2fe84bed8f8bdd45432 /bin/bash
>
> The above checksums are for a Slackware 10.2 installation, you should have
> the same checksums.
>
> regards Henrik

Henrik: Got nothing but "no such file" on your suggestions. However
this is what I did: There was a suggestion - I think it was from Keith
Keller or Paul Wisehart to run "chroot /mnt" on the drive.

"chroot /mnt started giving me different files than the mount sequence
suggested in "pkgtool", so I looked at several of them. Then, I decided
to find out if I could load Midnight Commander (mc). I could and did.
That was all I needed. I edited out (as suggested by Wisehart and Eef
Hartman and you) the encrypted hash shadow file, saved the file, and
rebooted. Clean, simple, quick.

And here I am. My thanks to all! Saved me a lot of grunt work in the
rebuild.

Gratefully,

Marv Soloff

On 2006-07-20, Marv Soloff <msoloff@att.net> wrote:
> Henrik Carlqvist wrote:
>>
>> And just to make sure, verify that some files have not been tampered with:
>>
>> $ md5sum /sbin/agetty
>> 847fbda23fabc4ffcf707e3a4f9137c2 /sbin/agetty
>>
>> $ md5sum /bin/login
>> 4156e28bcd2dc3de538e248acdb3e661 /bin/login
>>
>> $ md5sum /bin/bash
>> ec9b6ff6623ce2fe84bed8f8bdd45432 /bin/bash
>>
>> The above checksums are for a Slackware 10.2 installation, you should have
>> the same checksums.
>
> And here I am. My thanks to all! Saved me a lot of grunt work in the
> rebuild.

Don't congratulate yourself yet: you should still confirm the MD5 sums
that Henrik posted, or run some sort of rootkit checker on your machine,
to try to determine if you were cracked. Ideally you should not do this
while booted into Slackware, but from some read-only media like a CD.
Really ideally, you'd obtain this media completely independent from your
suspected Slackware box, but that might be more paranoia than you want
to deal with. At bare minimum, you should run the above commands from
your Slack box and make sure they match; if they do, at least you'll
know that if you were cracked it was a pretty good crack.

Here's one more binary that would be helpful to check:

$ md5sum /bin/ps
a4e09f0d230fc5f37076d13626265651 /bin/ps

--keith

--
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom
see X- headers for PGP signature information

Keith Keller wrote:
> On 2006-07-20, Marv Soloff <msoloff@att.net> wrote:
>
>>Henrik Carlqvist wrote:
>>
>>>And just to make sure, verify that some files have not been tampered with:
>>>
>>>$ md5sum /sbin/agetty
>>>847fbda23fabc4ffcf707e3a4f9137c2 /sbin/agetty
>>>
>>>$ md5sum /bin/login
>>>4156e28bcd2dc3de538e248acdb3e661 /bin/login
>>>
>>>$ md5sum /bin/bash
>>>ec9b6ff6623ce2fe84bed8f8bdd45432 /bin/bash
>>>
>>>The above checksums are for a Slackware 10.2 installation, you should have
>>>the same checksums.
>>
>>And here I am. My thanks to all! Saved me a lot of grunt work in the
>>rebuild.
>
>
> Don't congratulate yourself yet: you should still confirm the MD5 sums
> that Henrik posted, or run some sort of rootkit checker on your machine,
> to try to determine if you were cracked. Ideally you should not do this
> while booted into Slackware, but from some read-only media like a CD.
> Really ideally, you'd obtain this media completely independent from your
> suspected Slackware box, but that might be more paranoia than you want
> to deal with. At bare minimum, you should run the above commands from
> your Slack box and make sure they match; if they do, at least you'll
> know that if you were cracked it was a pretty good crack.
>
> Here's one more binary that would be helpful to check:
>
> $ md5sum /bin/ps
> a4e09f0d230fc5f37076d13626265651 /bin/ps
>
> --keith
>
The md5 hashes mentioned in Henrik's note all match. I'm satisfied (or
have a lower paranoia level) that the 10.2 drive is OK. Thanks for all
your (collective) help!

Regards,

Marv

Marv Soloff <msoloff@att.net> wrote:
>>>>847fbda23fabc4ffcf707e3a4f9137c2 /sbin/agetty
>>>>4156e28bcd2dc3de538e248acdb3e661 /bin/login
>>>>ec9b6ff6623ce2fe84bed8f8bdd45432 /bin/bash

> The md5 hashes mentioned in Henrik's note all match. I'm satisfied (or
> have a lower paranoia level) that the 10.2 drive is OK. Thanks for all
> your (collective) help!

The reason that I gave md5sum for those files was not to guarantee that
you have no rootkit. Instead I gave md5sum for those files because if any
of those files would have been broken it could explain why you were unable
to log in even though the password had been reseted.

If I were you I would feel a lot more safer if I knew what could have
changed the root password for you.

regards Henrik
--
The address in the header is only to prevent spam. My real address is:
hc8(at)uthyres.com Examples of addresses which go to spammers:
root@variousus.net root@localhost

Henrik Carlqvist wrote:
> If I were you I would feel a lot more safer if I knew what could have
> changed the root password for you.

I assumed he just forgot it. With all the drive switching and what-not.
--
paul