Jonas Smedegaard wrote: > On Tue, May 18, 2010 at 09:37:56AM +0200, Finn-Arne Johansen wrote: >> On 05/15/2010 05:43 PM, Andreas B. Mundt wrote: >>> Hi, >>> So my question is: Can I, by any means, access the root password >>> entered at the beginning of the installation at a later stage of the >>> installation process in clear text? >>> >>> Alternative ideas or solutions are of course welcome. >> >> Is it possible to create an udeb (or use debian-edu-*udeb) to ask for >> the main password, store it in cleartext, preseed the root password, >> then remove the cleartext password at the end of the installation. > > I suspect that to be a dangerous approach: In effect this would > duplicate (albeit hashed) the original root password which will *not* > change if the original root password is later changed. > > I do not find it uncommon to use a quick'n'dirty password at install > time and then tighten security later. With this approach the too weak, > temporary, initial password would silently become a weak backdoor into > the system. > > I certainly hope that no similar approach is in use today already!
It is. the quick and dirty password used at install. is also stored as the password for the ldap user "admin" when the user changes the root password. the ldap user admin password is unchanged. and must be changed in the admin tool separatly. But since _everything_ is done via ldap, the user quickly learn about the admin users (even if he does not read the documentation) still asking for 3 passwords (root / ldap admin / kerberos) during install does not make this situation in any way better. one might in the worst case end up with 3 quick and dirty passwords. I don't know any better solution then documentation, and perhaps debconf notes alerting that the root password should not be quick'n'dirty Ronny -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
