On 05/18/2010 11:06 AM, Jonas Smedegaard wrote: > On Tue, May 18, 2010 at 09:37:56AM +0200, Finn-Arne Johansen wrote: >> On 05/15/2010 05:43 PM, Andreas B. Mundt wrote: >>> Hi, >>> So my question is: Can I, by any means, access the root password >>> entered at the beginning of the installation at a later stage of the >>> installation process in clear text? >>> >>> Alternative ideas or solutions are of course welcome. >> >> Is it possible to create an udeb (or use debian-edu-*udeb) to ask for >> the main password, store it in cleartext, preseed the root password, >> then remove the cleartext password at the end of the installation. > > I suspect that to be a dangerous approach: In effect this would > duplicate (albeit hashed) the original root password which will *not* > change if the original root password is later changed.
Not sure if you understood what I meant. What I meant was something like this: During debian-edu-preesed-udeb (dont remember the name of the udeb now), the installer is preseeded to not ask for additional username/pw, and to select the debian-edu tasks automaticly. if it's possible, we could also preseed the password in this udeb, causing the opriginal password prompt to be surpressed(?)/preseeded. This password is also stored in cleartext somewhere on the installation ramdisk used by the installer. or maybe preeseded for the kerberos stuff. If this cleartext password is only stored on the installer ramdisk, then it will be gone after the initial reboot. if not (eg. the password is stored in cleartext on the installed system), the password would have to be deleted/hashed/whatever during the first bootup. if not - it could be possible to test against the password stored in the ldap if ldap is running during the installation (not sure if it does), to make sure the passwords are identical. But that would also be a special hack for debian-edu I think. > I do not find it uncommon to use a quick'n'dirty password at install > time and then tighten security later. With this approach the too weak, > temporary, initial password would silently become a weak backdoor into > the system. If you know how to administer things, you would also know that you need to change another password as well. As already done in debian-edu. The root-account password is also used by the ldap admin user: cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no > I certainly hope that no similar approach is in use today already! As there is already 2 different accounts which uses the password, in debian-edu, you may need to change both passwords if you already change the passwords. Of course, after you've created an admin user, you could obfuscate the admin user password so that noone knows it. If you have access to the confg file for slapd, you can always gain control over the ldap admin password. // faj -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
