>>>>> "Joe" == Joe Pruett <[email protected]> writes:
Russell> [...] What explains the weird passwordless logins? Joe> it could be pam configurations that allow anyone to login. I don't understand pam at all. I have no idea how to check if that's intact. Joe> or it could be a trojaned c library that makes crypt return the Joe> salt, which is usually just passed the encrypted password. did Joe> you see strace read the shadow file? I looked for that, and grepping for open() calls, it doesn't open shadow. Joe> running ltrace might also give clues. is there a way to globally Joe> check checksums for all installed packages? i'm not a deb user, Joe> so i am not sure. debsums comes back clean, but of course I am relying on the md5sums of the presumably compromised box. It is just possible that it wasn't cracked and something else f'd up the pam configuration. The only externally exposed port on the box is ssh. My intention is to wipe and reinstall, but ... I've got other similarly configured boxes and it would be nice to know what happened so as to prevent its recurrence. On the other hand, it's kind of nice not to need any password. ;-) -- Russell Senior ``I have nine fingers; you have ten.'' [email protected] _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
