Re: password hash weaknesses in FreeBSD ?

[RW]

On Tue, 2 Aug 2011 17:36:12 +0100
マンロークリストファ wrote:

> The crypt program to hash passwords uses md5 /DES/blowfish for
> password hashing as I have read in the handbook. DES and md5 are
> widely regarded to be broken (certainly DES). I would prefer password
> hashing to be done using salted SHA1 / SHA256 to meet my security
> needs.

It depends what you mean by broken; most hashes are broken (or will be
broken) in some sense - including SHA1. The types of break that make
md5 unsuitable for verification purposes  don't apply to password
hashes. Furthermore FreeBSDs md5 password hash isn't simply md5, it's
1000 iterations of md5 with each iteration hashing the salt, password
and previous hash in shifting combinations.

These days the most realistic attack against typical user passwords is
probably a direct brute-force attack using GPUs - in which case the
underlying hash algorithm is insignificant.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: password hash weaknesses in FreeBSD ?

[Thomas D. Dean]

On Tue, 2011-08-02 at 17:36 +0100, マンロークリストファ wrote:
> The crypt program to hash passwords uses md5 /DES/blowfish for
> password hashing as I have read in the handbook. DES and md5 are
> widely regarded to be broken (certainly DES). I would prefer password
> hashing to be done using salted SHA1 / SHA256 to meet my security
> needs. Is this configuration possible?
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
> 
http://www.bsdguides.org/guides/freebsd/security/harden.php

google "freebsd password hash sha256"

http://www.google.com/search?hl=en&q=freebsd+password+hash
+sha256&aq=f&aqi=&aql=&oq=


Has patches toward adding this.

tomdean

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Password theft from memory?

[C. P. Ghost]

On Wed, Apr 27, 2011 at 9:24 PM, Modulok  wrote:
> I know that each process has its own private memory segment, but after a
> process exits, it nolonger owns that memory. What happens to it? If it's not
> zeroed out by my process, and it doesn't turn into pixie food, and it's not
> zeroed out by malloc... it still exists somewhere.

If I understand this correctly, when a process exits, the kernel reclaims its
address space and inserts it into its own address space (i.e. in a free list).
At this point, the pages are NOT (yet) zeroed out, they're merely detached
from the exiting process and attached to the kernel's free list.

Optionally, they may be zeroed in some time in the future, when a special
kernel thread pre-zeroes some pages there for faster allocation later.

In any case, when a new process starts and tries to mmap(2) those pages,
the kernel VM will lazily zero them out one by one upon first access by the
process.

So, unless you access /dev/kmem to read virtual kernel memory directly,
you have NO way of getting access to the old data, even when it is not
yet zeroed. And as long as the permissions on /dev/kmem are sensibly
set, only privileged processes could access kernel virtual memory.

Coming to think of it, there's another exception besides /dev/kmem: a kernel
module runs with kernel privileges, and has access to the pages (of all
processes, and of the kernel including those on the free list). But this is
to be expected: a KLD becomes a part of the kernel when loaded.

> Maybe this would be best on hackers?
> -Modulok-

-cpghost.

-- 
Cordula's Web. http://www.cordula.ws/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Password theft from memory?

[RW]

On Fri, 29 Apr 2011 12:00:00 -0400
Bob Hall  wrote:

> On Fri, Apr 29, 2011 at 01:54:06AM +0100, RW wrote:

> > but they aren't the same - that's what the quotes were about. 
> 
> Looking back, I don't see anything in your quotes that raises the
> issue of anonymous objects being used differently.


If you don't already know that memory is zeroed by default it
would be obtuse to infer that arbitrarily sized anonymous mappings are
zero-filled, just because a few bytes of padding are zero-filled.
Consequently your quote had no relevance to whether memory obtained by
malloc is zero-filled.

However, by taking that sentence out of context it was made unclear what
"extensions" referred to. A casual reader could have assumed that it
was possible to make zero-filled extensions to the object through mmap.
If that were true then your position, that the two cases are similar,
would be be quite reasonable. I assumed that you had misread the man
page. 
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Password theft from memory?

[Bob Hall]

On Fri, Apr 29, 2011 at 01:54:06AM +0100, RW wrote:
> On Thu, 28 Apr 2011 13:17:41 -0400
> Bob Hall  wrote:
> 
> > On Thu, Apr 28, 2011 at 12:10:10AM +0100, RW wrote:
> > > I'm not saying that anonymous mappings used by malloc aren't
> > > zero-filled, just that it's not mentioned anywhere in the mmap man
> > > page. I think it's just taken as read.
> > 
> > I just got what you're trying to say. Unfortunately, your quotes
> > mislead me about what you were concerned about. You're right, the man
> > page doesn't explicitly state whether anonymous mappings are zero
> > filled or not. Since man pages prioritize concision, I would expect
> > the page to explain how anonymous mappings are different from other
> > mappings, but not how they are the same.
> 
> but they aren't the same - that's what the quotes were about. 

Looking back, I don't see anything in your quotes that raises the issue
of anonymous objects being used differently.

> If the zero-filled extensions included whole pages that have the same
> status as the rest of the mapping then it would be reasonable to infer
> that anonymous mappings are similarly filled with zeroed-pages.
> 
> What that man page is talking about is a small padding region at the
> end of a file-backed mapping that isn't really intended for use and
> presumably could get re-zeroed at any moment since it has no backing
> store. It seems to me to be unreasonable to infer anything about
> anonymous mappings from this.

When an anonymous object first gets a pagein, it grabs a free page and
zeros it. Generally, the virtual memory system fetches new pages from a
cache of zeroed pages. In either case, pages are zeroed before a process
gets access.

This is part of the general background info on virtual memory and I
wouldn't expect it to be documented in the mmap man page.

Off topic, the maillist is apparently filtering out my posts. I've
looked at the webpage on filtering and can't find anything that explains
why I'm being filtered. I've tried posting from another system that I
posted successfully from previously, but no success. I've tried googling
and searching the mail archives for problems related to google mail, but
nothing came up.  If some mail expert can spot what's causing me to be
blocked and let me know, I'd be grateful.
> 
> 
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Password theft from memory?

[RW]

On Thu, 28 Apr 2011 13:17:41 -0400
Bob Hall  wrote:

> On Thu, Apr 28, 2011 at 12:10:10AM +0100, RW wrote:
> > I'm not saying that anonymous mappings used by malloc aren't
> > zero-filled, just that it's not mentioned anywhere in the mmap man
> > page. I think it's just taken as read.
> 
> I just got what you're trying to say. Unfortunately, your quotes
> mislead me about what you were concerned about. You're right, the man
> page doesn't explicitly state whether anonymous mappings are zero
> filled or not. Since man pages prioritize concision, I would expect
> the page to explain how anonymous mappings are different from other
> mappings, but not how they are the same.

but they aren't the same - that's what the quotes were about. 

If the zero-filled extensions included whole pages that have the same
status as the rest of the mapping then it would be reasonable to infer
that anonymous mappings are similarly filled with zeroed-pages.

What that man page is talking about is a small padding region at the
end of a file-backed mapping that isn't really intended for use and
presumably could get re-zeroed at any moment since it has no backing
store. It seems to me to be unreasonable to infer anything about
anonymous mappings from this.



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Password theft from memory?

[Bob Hall]

On Thu, Apr 28, 2011 at 12:10:10AM +0100, RW wrote:
> I'm not saying that anonymous mappings used by malloc aren't
> zero-filled, just that it's not mentioned anywhere in the mmap man
> page. I think it's just taken as read.

I just got what you're trying to say. Unfortunately, your quotes mislead
me about what you were concerned about. You're right, the man page
doesn't explicitly state whether anonymous mappings are zero filled or
not. Since man pages prioritize concision, I would expect the page to
explain how anonymous mappings are different from other mappings, but
not how they are the same.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Password theft from memory?

[RW]

On Wed, 27 Apr 2011 06:14:02 -0400
Bob Hall  wrote:


> malloc() uses either sbrk or mmap to extend the heap. As far as I
> know, sbrk extends the heap with zero filled memory. According to the
> man page, mmap extends it either with remapped data, or with remapped
> data plus additional zero filled memory. 

The man page doesn't mean what you think it means. It's a lot clearer
here: 

http://pubs.opengroup.org/onlinepubs/007908799/xsh/mmap.html


   "The system always zero-fills any partial page at the end of an
   object. Further, the system never writes out any modified portions of
   the last page of an object that are beyond its end. References
   within the address range starting at pa and continuing for len bytes
   to whole pages following the end of an object result in delivery of
   a SIGBUS signal."


I'm not saying that anonymous mappings used by malloc aren't
zero-filled, just that it's not mentioned anywhere in the mmap man
page. I think it's just taken as read.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Password theft from memory?

[Lowell Gilbert]

Modulok  writes:

>>> On Sun, Apr 24, 2011 at 7:10 PM, Modulok  wrote:
>>> > I don't know if this is a problem on FreeBSD...
>>> >
>>> > Process A requests memory.
>>> > Process A Stores a plaintext password in memory or other sensitive
>>> > data. Process A terminates and the memory is reclaimed by kernel.
>>> >
>>> > Process B requests a *huge* chunk of memory.
>>> > Process B crawls the uninitialized memory, looking for ProcessA's
>>> > previously stored password.
>>> >
>>> > Does anyone know if this is even possible on FreeBSD?
>
>> AFAIK it's the responsibly of the programmer to avoid  data leaking.
>> Passwords are commonly overwritten as soon as they no longer needed. I
>> think geli keeps persistent key information in kernel wired-memory.
>
> If you're writing in an language which has direct memory access you can easily
> overwrite sensitive regions of memory upon program exit. But what about higher
> level, dynamic languages where direct memory access is not available? For
> example, if I write program in Python (or a some other language) which
> processes plaintext passwords or credit card numbers, on a shared host, can
> that data be found in memory by another user's process designed to recognize
> such patterns in large allocations? (Patterns like SS numbers, credit cards,
> regions near strings like 'password' and so on.)
>
> I know that each process has its own private memory segment, but after a
> process exits, it nolonger owns that memory. What happens to it? If it's not
> zeroed out by my process, and it doesn't turn into pixie food, and it's not
> zeroed out by malloc... it still exists somewhere.
>
> Maybe this would be best on hackers?

In my opinion, no, -chat would be better.  This is a well established
area and all multi-user operating systems cover it in some way.

You are missing an important point that had been glossed over somewhat
in the earlier messages in this thread.  In particular, you're missing
that an unprivileged process doesn't have direct access to real memory
addresses no matter what language it was written in.  Languages that
support memory pointers have access to a "virtual" address space on
FreeBSD (and most other general-purpose operating systems of the last
decade or two), which does not give them access to the memory of other
processes.  

When a process exits (and, indeed, "it no longer owns that memory"), the
real memory pages behind its virtual memory will be returned to the
kernel, which will zero out those pages before letting another process
reuse them.  The details other people have been discussing have to do
with the fact that there is more than one mechanism through which pages
might get allocated to a process, but in all of those mechanisms, the
old data is obliterated first.

In practice, programmers used to Unix-ish systems may assume that their
memory allocations are always zero-filled.  On embedded systems (and
other specialized environments, but I mostly deal with embedded systems
for routers), this may not be a good assumption.  Even on a Unix system,
it's not necessarily a good assumption -- you won't get memory that was
written by a different process, but you may well get memory that was
released by your own process without being overwritten.  Needless to
say, this isn't a security concern.

Be well.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Password theft from memory?

[Modulok]

>> On Sun, Apr 24, 2011 at 7:10 PM, Modulok  wrote:
>> > I don't know if this is a problem on FreeBSD...
>> >
>> > Process A requests memory.
>> > Process A Stores a plaintext password in memory or other sensitive
>> > data. Process A terminates and the memory is reclaimed by kernel.
>> >
>> > Process B requests a *huge* chunk of memory.
>> > Process B crawls the uninitialized memory, looking for ProcessA's
>> > previously stored password.
>> >
>> > Does anyone know if this is even possible on FreeBSD?

> AFAIK it's the responsibly of the programmer to avoid  data leaking.
> Passwords are commonly overwritten as soon as they no longer needed. I
> think geli keeps persistent key information in kernel wired-memory.

If you're writing in an language which has direct memory access you can easily
overwrite sensitive regions of memory upon program exit. But what about higher
level, dynamic languages where direct memory access is not available? For
example, if I write program in Python (or a some other language) which
processes plaintext passwords or credit card numbers, on a shared host, can
that data be found in memory by another user's process designed to recognize
such patterns in large allocations? (Patterns like SS numbers, credit cards,
regions near strings like 'password' and so on.)

I know that each process has its own private memory segment, but after a
process exits, it nolonger owns that memory. What happens to it? If it's not
zeroed out by my process, and it doesn't turn into pixie food, and it's not
zeroed out by malloc... it still exists somewhere.

Maybe this would be best on hackers?
-Modulok-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Password theft from memory?

[Bob Hall]

On Tue, Apr 26, 2011 at 11:41 AM, RW 
wrote:
>> The above quote states that the memory not occupied by the remapped
>> object is zero filled. Which is to say that memory allocated by
>> mmap() is either filled with new data or filled with zeros.
>
> In context it says:
>
>     "If len is not a multiple of the page-size, the mapped region
> may extend past the specified range.  Any such extension beyond the
>     end of the mapped object will be zero-filled."
>
> To me the most straightforward reading of that is that it's
> referring to non-aligned address ranges.
>
> Your interpretation may well be the intended one, but where would
> that leave the anonymous mappings used by malloc? Are we to think
> of them as extensions beyond a non-existent mapped object, and thus
> infer that they are zero-filled? It's a bit of a stretch from
> what's written.

malloc() uses either sbrk or mmap to extend the heap. As far as I know,
sbrk extends the heap with zero filled memory. According to the man
page, mmap extends it either with remapped data, or with remapped data
plus additional zero filled memory. 

This answers the original poster's question. If you've gone on to a
different issue then I apologize for not following you.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Password theft from memory?

[RW]

On Tue, 26 Apr 2011 16:23:11 +0200
"C. P. Ghost"  wrote:

> On Tue, Apr 26, 2011 at 11:41 AM, RW 
> wrote:
> >> The above quote states that the memory not occupied by the remapped
> >> object is zero filled. Which is to say that memory allocated by
> >> mmap() is either filled with new data or filled with zeros.
> >
> > In context it says:
> >
> >     "If len is not a multiple of the page-size, the mapped region
> > may extend past the specified range.  Any such extension beyond the
> >     end of the mapped object will be zero-filled."
> >
> > To me the most straightforward reading of that is that it's
> > referring to non-aligned address ranges.
> >
> > Your interpretation may well be the intended one, but where would
> > that leave the anonymous mappings used by malloc? Are we to think
> > of them as extensions beyond a non-existent mapped object, and thus
> > infer that they are zero-filled? It's a bit of a stretch from
> > what's written.
> 
> While it's not a *proof*, you could always do a little bit of black
> box testing.

I didn't really doubt it, if sbrk zero-filled then it would be a major
security regression if mmap didn't provide the same behaviour. 

From vm_fault.c it looks clear a zeroed page is allocated when the
location is neither file-backed nor written-out to swap. That's probably
why mmap(2) doesn't bother to mention zero-filling except in a special
case.  
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Password theft from memory?

[C. P. Ghost]

On Tue, Apr 26, 2011 at 11:41 AM, RW  wrote:
>> The above quote states that the memory not occupied by the remapped
>> object is zero filled. Which is to say that memory allocated by mmap()
>> is either filled with new data or filled with zeros.
>
> In context it says:
>
>     "If len is not a multiple of the page-size, the mapped region may
>     extend past the specified range.  Any such extension beyond the
>     end of the mapped object will be zero-filled."
>
> To me the most straightforward reading of that is that it's referring
> to non-aligned address ranges.
>
> Your interpretation may well be the intended one, but where would that
> leave the anonymous mappings used by malloc? Are we to think of them as
> extensions beyond a non-existent mapped object, and thus infer that they
> are zero-filled? It's a bit of a stretch from what's written.

While it's not a *proof*, you could always do a little bit of black box
testing.

1, So how about a little C program scanner.c that allocates a huge heap
via mmap(2)'s malloc(3) backend, and crawls that buffer, looking for
the first non-zero byte? If we always get zero-filled pages, you shouldn't
find any non-zero bytes there.

2. For good measure, another program filler.c could fill a huge heap with
a particular easily recognizable pattern (say something like 0xdeadbeef),
and exit; and then, scanner.c could not only check for non-zero byes, but
also for that particular pattern.

-cpghost.

-- 
Cordula's Web. http://www.cordula.ws/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Password theft from memory?

[RW]

On Tue, 26 Apr 2011 10:48:53 +0100
Bruce Cran  wrote:

> On Mon, 25 Apr 2011 23:29:08 +0100
> RW  wrote:
> 
> > The reason I thought that heap memory isn't zeroed is from the
> > discussion of pre-zeroed pages in this article: 
> 
> There's an idlezero task that runs by default (via
> the vm.idlezero_enable sysctl), zeroing unused pages,

That's pretty much what the article is describing. It's actually *off*
by default in 8.2 because it causes lock-ups.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Password theft from memory?

[Bruce Cran]

On Mon, 25 Apr 2011 23:29:08 +0100
RW  wrote:

> The reason I thought that heap memory isn't zeroed is from the
> discussion of pre-zeroed pages in this article: 

There's an idlezero task that runs by default (via
the vm.idlezero_enable sysctl), zeroing unused pages, but malloc itself 
doesn't zero memory on demand by default. If you enable the 'Z' 
malloc.conf(3) option it does, though:

ZEach byte of new memory allocated by malloc(), realloc() or
 reallocf() will be initialized to 0.  Note that this initializa-
 tion only happens once for each byte, so realloc() and reallocf()
 calls do not zero memory that was previously allocated.  This is
 intended for debugging and will impact performance negatively.


-- 
Bruce Cran
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Password theft from memory?

[RW]

On Mon, 25 Apr 2011 22:56:14 -0400
Bob Hall  wrote:

> On Mon, Apr 25, 2011 at 11:29:08PM +0100, RW wrote:
> > On Mon, 25 Apr 2011 13:54:20 -0400
> > Bob Hall  wrote:
> > 
> > > On Mon, Apr 25, 2011 at 05:46:33PM +0200, C. P. Ghost wrote:
> > > > On Mon, Apr 25, 2011 at 5:15 PM, Bob Hall 
> > > > wrote:
> > > > > On Mon, Apr 25, 2011 at 03:18:46PM +0100, RW wrote:
> > > > >> I don't believe the heap is allocated zeroed pages.  The
> > > > >> kernel does allocate such pages to the BSS segment, but
> > > > >> that's because it holds zeroed data such as C static
> > > > >> variables.
> > > > >
> > > > > According to McKusick and Neville-Neil's book on FreeBSD, sbrk
> > > > > extends the uninitialized data segment with zero-filled pages.
> > > > > Since malloc() is an interface to sbrk, it does the same
> > > > > thing.
> > > > 
> > > > True, except that malloc(3) now uses both sbrk(2) and mmap(2)
> > > > allocators, depending on the user-settable flags
> > > > in /etc/malloc.conf, MALLOC_OPTIONS and the global variable
> > > > _malloc_options. So you have to look into mmap(2) too.
> > > 
> > > Good point. From the man page:
> > > "Any such extension beyond the end of the mapped object will be
> > > zero-filled." 
> > > and
> > > "A successful mmap deletes any previous mapping in the allocated
> > > address range."
> > 
> > 
> > The above quote refers to zeroing the fraction of a page that's left
> > over when "len"  isn't a multiple of the page size.
> 
> The above quote states that the memory not occupied by the remapped
> object is zero filled. Which is to say that memory allocated by mmap()
> is either filled with new data or filled with zeros.

In context it says: 

 "If len is not a multiple of the page-size, the mapped region may
 extend past the specified range.  Any such extension beyond the
 end of the mapped object will be zero-filled."

To me the most straightforward reading of that is that it's referring
to non-aligned address ranges. 

Your interpretation may well be the intended one, but where would that
leave the anonymous mappings used by malloc? Are we to think of them as
extensions beyond a non-existent mapped object, and thus infer that they
are zero-filled? It's a bit of a stretch from what's written.


> > The reason I thought that heap memory isn't zeroed is from the
> > discussion of pre-zeroed pages in this article: 
> > 
> > http://www.freebsd.org/doc/en_US.ISO8859-1/articles/vm-design/prefault-optimizations.html
> > 
> > It reads as if the BSS region is the only significant user of zeroed
> > pages.
> 
> It appears to me to say that any virtual pages allocated to a process
> are pre-zeroed, which would include the BSS segment.

It says: 

   "A large percentage of page faults that occur are zero-fill faults.
   You can usually see this by observing the vmstat -s output. These
   occur when a process accesses pages in its BSS area. "

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Password theft from memory?

[Bob Hall]

On Mon, Apr 25, 2011 at 11:29:08PM +0100, RW wrote:
> On Mon, 25 Apr 2011 13:54:20 -0400
> Bob Hall  wrote:
> 
> > On Mon, Apr 25, 2011 at 05:46:33PM +0200, C. P. Ghost wrote:
> > > On Mon, Apr 25, 2011 at 5:15 PM, Bob Hall  wrote:
> > > > On Mon, Apr 25, 2011 at 03:18:46PM +0100, RW wrote:
> > > >> I don't believe the heap is allocated zeroed pages.  The kernel
> > > >> does allocate such pages to the BSS segment, but that's because
> > > >> it holds zeroed data such as C static variables.
> > > >
> > > > According to McKusick and Neville-Neil's book on FreeBSD, sbrk
> > > > extends the uninitialized data segment with zero-filled pages.
> > > > Since malloc() is an interface to sbrk, it does the same thing.
> > > 
> > > True, except that malloc(3) now uses both sbrk(2) and mmap(2)
> > > allocators, depending on the user-settable flags
> > > in /etc/malloc.conf, MALLOC_OPTIONS and the global variable
> > > _malloc_options. So you have to look into mmap(2) too.
> > 
> > Good point. From the man page:
> > "Any such extension beyond the end of the mapped object will be
> > zero-filled." 
> > and
> > "A successful mmap deletes any previous mapping in the allocated
> > address range."
> 
> 
> The above quote refers to zeroing the fraction of a page that's left
> over when "len"  isn't a multiple of the page size.

The above quote states that the memory not occupied by the remapped
object is zero filled. Which is to say that memory allocated by mmap()
is either filled with new data or filled with zeros.

> However, there's a
> comment in malloc.c about mmap'ed regions being zeroed, so I guess they
> are, but it doesn't seem to be mentioned at all in mmap(2).
 
It is mentioned, in the first sentence I quoted.

> The reason I thought that heap memory isn't zeroed is from the
> discussion of pre-zeroed pages in this article: 
> 
> http://www.freebsd.org/doc/en_US.ISO8859-1/articles/vm-design/prefault-optimizations.html
> 
> It reads as if the BSS region is the only significant user of zeroed
> pages.

It appears to me to say that any virtual pages allocated to a process
are pre-zeroed, which would include the BSS segment.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Password theft from memory?

[RW]

On Mon, 25 Apr 2011 13:54:20 -0400
Bob Hall  wrote:

> On Mon, Apr 25, 2011 at 05:46:33PM +0200, C. P. Ghost wrote:
> > On Mon, Apr 25, 2011 at 5:15 PM, Bob Hall  wrote:
> > > On Mon, Apr 25, 2011 at 03:18:46PM +0100, RW wrote:
> > >> I don't believe the heap is allocated zeroed pages.  The kernel
> > >> does allocate such pages to the BSS segment, but that's because
> > >> it holds zeroed data such as C static variables.
> > >
> > > According to McKusick and Neville-Neil's book on FreeBSD, sbrk
> > > extends the uninitialized data segment with zero-filled pages.
> > > Since malloc() is an interface to sbrk, it does the same thing.
> > 
> > True, except that malloc(3) now uses both sbrk(2) and mmap(2)
> > allocators, depending on the user-settable flags
> > in /etc/malloc.conf, MALLOC_OPTIONS and the global variable
> > _malloc_options. So you have to look into mmap(2) too.
> 
> Good point. From the man page:
> "Any such extension beyond the end of the mapped object will be
> zero-filled." 
> and
> "A successful mmap deletes any previous mapping in the allocated
> address range."


The above quote refers to zeroing the fraction of a page that's left
over when "len"  isn't a multiple of the page size. However, there's a
comment in malloc.c about mmap'ed regions being zeroed, so I guess they
are, but it doesn't seem to be mentioned at all in mmap(2).


The reason I thought that heap memory isn't zeroed is from the
discussion of pre-zeroed pages in this article: 

http://www.freebsd.org/doc/en_US.ISO8859-1/articles/vm-design/prefault-optimizations.html

It reads as if the BSS region is the only significant user of zeroed
pages.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Password theft from memory?

[Bob Hall]

On Mon, Apr 25, 2011 at 05:46:33PM +0200, C. P. Ghost wrote:
> On Mon, Apr 25, 2011 at 5:15 PM, Bob Hall  wrote:
> > On Mon, Apr 25, 2011 at 03:18:46PM +0100, RW wrote:
> >> I don't believe the heap is allocated zeroed pages.  The kernel
> >> does allocate such pages to the BSS segment, but that's because it
> >> holds zeroed data such as C static variables.
> >
> > According to McKusick and Neville-Neil's book on FreeBSD, sbrk extends
> > the uninitialized data segment with zero-filled pages. Since malloc() is
> > an interface to sbrk, it does the same thing.
> 
> True, except that malloc(3) now uses both sbrk(2) and mmap(2) allocators,
> depending on the user-settable flags in /etc/malloc.conf, MALLOC_OPTIONS
> and the global variable _malloc_options. So you have to look into mmap(2)
> too.

Good point. From the man page:
"Any such extension beyond the end of the mapped object will be zero-filled."
and
"A successful mmap deletes any previous mapping in the allocated address range."
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Password theft from memory?

[C. P. Ghost]

On Mon, Apr 25, 2011 at 5:15 PM, Bob Hall  wrote:
> On Mon, Apr 25, 2011 at 03:18:46PM +0100, RW wrote:
>> I don't believe the heap is allocated zeroed pages.  The kernel
>> does allocate such pages to the BSS segment, but that's because it
>> holds zeroed data such as C static variables.
>
> According to McKusick and Neville-Neil's book on FreeBSD, sbrk extends
> the uninitialized data segment with zero-filled pages. Since malloc() is
> an interface to sbrk, it does the same thing.

True, except that malloc(3) now uses both sbrk(2) and mmap(2) allocators,
depending on the user-settable flags in /etc/malloc.conf, MALLOC_OPTIONS
and the global variable _malloc_options. So you have to look into mmap(2)
too.

-cpghost.

-- 
Cordula's Web. http://www.cordula.ws/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Password theft from memory?

[Bob Hall]

On Mon, Apr 25, 2011 at 03:18:46PM +0100, RW wrote:
> I don't believe the heap is allocated zeroed pages.  The kernel
> does allocate such pages to the BSS segment, but that's because it
> holds zeroed data such as C static variables.

According to McKusick and Neville-Neil's book on FreeBSD, sbrk extends
the uninitialized data segment with zero-filled pages. Since malloc() is
an interface to sbrk, it does the same thing.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Password theft from memory?

[RW]

On Sun, 24 Apr 2011 19:53:41 +0200
"C. P. Ghost"  wrote:

> On Sun, Apr 24, 2011 at 7:10 PM, Modulok  wrote:
> > I don't know if this is a problem on FreeBSD...
> >
> > Process A requests memory.
> > Process A Stores a plaintext password in memory or other sensitive
> > data. Process A terminates and the memory is reclaimed by kernel.
> >
> > Process B requests a *huge* chunk of memory.
> > Process B crawls the uninitialized memory, looking for ProcessA's
> > previously stored password.
> >
> > Does anyone know if this is even possible on FreeBSD?
> 
> Please correct me if I'm wrong (I didn't check the sources), but...
> 
> short answer: it shouldn't happen, because pages allocated to a new
> process are zero-filled by the kernel (lazily via zero-fill page
> faults when process B crawls the memory the first time).

I don't believe the heap is allocated zeroed pages.  The kernel
does allocate such pages to the BSS segment, but that's because it
holds zeroed data such as C static variables.

AFAIK it's the responsibly of the programmer to avoid  data leaking.
Passwords are commonly overwritten as soon as they no longer needed. I
think geli keeps persistent key information in kernel wired-memory. 
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Password theft from memory?

[C. P. Ghost]

On Sun, Apr 24, 2011 at 7:10 PM, Modulok  wrote:
> I don't know if this is a problem on FreeBSD...
>
> Process A requests memory.
> Process A Stores a plaintext password in memory or other sensitive data.
> Process A terminates and the memory is reclaimed by kernel.
>
> Process B requests a *huge* chunk of memory.
> Process B crawls the uninitialized memory, looking for ProcessA's previously
> stored password.
>
> Does anyone know if this is even possible on FreeBSD?

Please correct me if I'm wrong (I didn't check the sources), but...

short answer: it shouldn't happen, because pages allocated to a new process
are zero-filled by the kernel (lazily via zero-fill page faults when
process B crawls
the memory the first time).

On the other hand, I'm not sure if the pass phrase would be visible
via /dev/kmem
before those pages are actually zero-filled by the new process. Must check the
source for exit(2).

> Thanks!
> -Modulok-

-cpghost.

-- 
Cordula's Web. http://www.cordula.ws/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: PASSWORD LOST!!

[Ruben de Groot]

On Fri, Feb 12, 2010 at 08:05:24AM -0600, John typed:
> > >
> > If this is a dedicated server (or a VPS, or RPS, or any type of server 
> > hosted by a server provider), you may have a rescue system, so you can 
> > boot it and chroot yourself to access the system. Or, in some cases, you 
> > can have a KVM-over-IP access, so you can boot into single user mode.
> 
> People, people - be careful that we are not creating a formula to
> break into FreeBSD servers around the world...

That formula is allready there (but fixed in more recent source off course)

http://seclists.org/fulldisclosure/2009/Nov/371

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: PASSWORD LOST!!

[Ross Cameron]

On Fri, Feb 12, 2010 at 4:19 PM, Adam Vande More  wrote:
> On Fri, Feb 12, 2010 at 8:05 AM, John  wrote:
>
>> People, people - be careful that we are not creating a formula to
>> break into FreeBSD servers around the world...
>>
>> The only acceptable solution is for someone in Eric's organization
>> to secure physical access to the server.  It may be in a co-lo
>> situation, but if that's true, they must have a contract open and,
>> if nothing else, they terminate the contract and get the machine
>> back, though more likely, the contract allows them supervised
>> access.  Machines are not perfect - even without losing the root
>> password, they break and need maintenance - this is a MAINTENANCE
>> event and should be treated as such, just like a hard drive failure
>> or a NIC failure.
>>
>> Creating a scheme for someone to break into FreeBSD systems remotely
>> or to publicize schemes people have created to remotely manage their
>> systems in ways that could be used to compromise them is foolishness!
>>
>> Regardless of the purity of his intention, Eric is asking us to
>> tell him how to break into our homes or steal our cars. ;)
>>
>
> Security through obscurity is no security, hence it is a good exercise.

Agreed, in fact if anything (in my not so humble opinion) open source
platforms should ALWAYS publish all known compromises and also
lockdown procedures.

Doing so would make sure that those of us building the install media
and/or default configs do EVERYTHING possible to secure systems from
the get go.



-- 
"Opportunity is most often missed by people because it is dressed in
overalls and looks like work."
Thomas Alva Edison
Inventor of 1093 patents, including:
The light bulb, phonogram and motion pictures.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: PASSWORD LOST!!

[Jon Radel]

Adam Vande More wrote:

On Fri, Feb 12, 2010 at 8:05 AM, John  wrote:


People, people - be careful that we are not creating a formula to
break into FreeBSD servers around the world...

The only acceptable solution is for someone in Eric's organization
to secure physical access to the server.  It may be in a co-lo
situation, but if that's true, they must have a contract open and,
if nothing else, they terminate the contract and get the machine
back, though more likely, the contract allows them supervised
access.  Machines are not perfect - even without losing the root
password, they break and need maintenance - this is a MAINTENANCE
event and should be treated as such, just like a hard drive failure
or a NIC failure.

Creating a scheme for someone to break into FreeBSD systems remotely
or to publicize schemes people have created to remotely manage their
systems in ways that could be used to compromise them is foolishness!

Regardless of the purity of his intention, Eric is asking us to
tell him how to break into our homes or steal our cars. ;)



Security through obscurity is no security, hence it is a good exercise.




Quite.  In any case, the OP started out by telling us how he had plugged 
a monitor into the server, so we're several degrees removed from reality 
by this point.


--

--Jon Radel
j...@radel.com


smime.p7s
Description: S/MIME Cryptographic Signature

Re: PASSWORD LOST!!

[Julien Gormotte]

Le 12/02/2010 15:19, Adam Vande More a écrit :
On Fri, Feb 12, 2010 at 8:05 AM, John > wrote:


People, people - be careful that we are not creating a formula to
break into FreeBSD servers around the world...

The only acceptable solution is for someone in Eric's organization
to secure physical access to the server.  It may be in a co-lo
situation, but if that's true, they must have a contract open and,
if nothing else, they terminate the contract and get the machine
back, though more likely, the contract allows them supervised
access.  Machines are not perfect - even without losing the root
password, they break and need maintenance - this is a MAINTENANCE
event and should be treated as such, just like a hard drive failure
or a NIC failure.

Creating a scheme for someone to break into FreeBSD systems remotely
or to publicize schemes people have created to remotely manage their
systems in ways that could be used to compromise them is foolishness!

Regardless of the purity of his intention, Eric is asking us to
tell him how to break into our homes or steal our cars. ;)


Security through obscurity is no security, hence it is a good exercise.


--
Adam Vande More
I have to agree. Plus, these ways of setting root password are not 
"breaking into" the server. If you have a KVM over IP, it is like 
physical access. And rescue disks are used for these kinds of situation 
(among others, like kernel config errors and such).
These methods are just what they are : recovery methods. In a dedicated 
server situation, you are supposed to be the only one to have access to 
the rescue systems.


If we were discussing about gainig root privileges from a normal user 
account, or remotely (using security holes in php scripts, or in CGI, 
or... any other thing...), your complaint would somehow make sense (but 
in fact, it wouldn't, because these security holes don't have to be 
hidden, they have to be corrected).

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: PASSWORD LOST!!

[Adam Vande More]

On Fri, Feb 12, 2010 at 8:05 AM, John  wrote:

> People, people - be careful that we are not creating a formula to
> break into FreeBSD servers around the world...
>
> The only acceptable solution is for someone in Eric's organization
> to secure physical access to the server.  It may be in a co-lo
> situation, but if that's true, they must have a contract open and,
> if nothing else, they terminate the contract and get the machine
> back, though more likely, the contract allows them supervised
> access.  Machines are not perfect - even without losing the root
> password, they break and need maintenance - this is a MAINTENANCE
> event and should be treated as such, just like a hard drive failure
> or a NIC failure.
>
> Creating a scheme for someone to break into FreeBSD systems remotely
> or to publicize schemes people have created to remotely manage their
> systems in ways that could be used to compromise them is foolishness!
>
> Regardless of the purity of his intention, Eric is asking us to
> tell him how to break into our homes or steal our cars. ;)
>

Security through obscurity is no security, hence it is a good exercise.


-- 
Adam Vande More
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: PASSWORD LOST!!

[John]

On Fri, Feb 12, 2010 at 10:29:20AM +0100, Julien Gormotte wrote:
> Le 12/02/2010 02:24, Olivier Nicole a écrit :
>  If you have physical access to the server, just reboot it in single user
>   
> >>> mode,
> >>>
>  and change the password. You might need to forcibly power it off. It is
>   
> >>> all
> >>>
>  covered in the handbook. If you don't have physical access,  I think you
>   
> >>> may
> >>>
>  be out of luck...
> 
>   
> >>> May be out of luck? I would hope he is totally out of luck without
> >>> physical access, if
> >>> you get my drift!
> >>>
> >>> Hope you do have physical access Eric
> >>>
> >>>
> >> May not be out of luck depending on if the machine has had the last couple
> >> of years worth of updates. I'm guessing not if nobody has the root password
> >> and the persom who had set it up in the first place has been MIA for who
> >> knows how long.
> >>  
> > I was thinking along the same lines, but at same time Eric didn't know
> > about booting to single user, so would he be able to remotely hack
> > into his own system?
> >
> > Olivier
> > ___
> > freebsd-questions@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
> >
> If this is a dedicated server (or a VPS, or RPS, or any type of server 
> hosted by a server provider), you may have a rescue system, so you can 
> boot it and chroot yourself to access the system. Or, in some cases, you 
> can have a KVM-over-IP access, so you can boot into single user mode.

People, people - be careful that we are not creating a formula to
break into FreeBSD servers around the world...

The only acceptable solution is for someone in Eric's organization
to secure physical access to the server.  It may be in a co-lo
situation, but if that's true, they must have a contract open and,
if nothing else, they terminate the contract and get the machine
back, though more likely, the contract allows them supervised
access.  Machines are not perfect - even without losing the root
password, they break and need maintenance - this is a MAINTENANCE
event and should be treated as such, just like a hard drive failure
or a NIC failure.

Creating a scheme for someone to break into FreeBSD systems remotely
or to publicize schemes people have created to remotely manage their
systems in ways that could be used to compromise them is foolishness!

Regardless of the purity of his intention, Eric is asking us to
tell him how to break into our homes or steal our cars. ;)
-- 

John Lind
j...@starfire.mn.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: PASSWORD LOST!!

[Julien Gormotte]

Le 12/02/2010 02:24, Olivier Nicole a écrit :

If you have physical access to the server, just reboot it in single user
 

mode,
   

and change the password. You might need to forcibly power it off. It is
 

all
   

covered in the handbook. If you don't have physical access,  I think you
 

may
   

be out of luck...

 

May be out of luck? I would hope he is totally out of luck without
physical access, if
you get my drift!

Hope you do have physical access Eric

   

May not be out of luck depending on if the machine has had the last couple
of years worth of updates. I'm guessing not if nobody has the root password
and the persom who had set it up in the first place has been MIA for who
knows how long.
 

I was thinking along the same lines, but at same time Eric didn't know
about booting to single user, so would he be able to remotely hack
into his own system?

Olivier
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
   
If this is a dedicated server (or a VPS, or RPS, or any type of server 
hosted by a server provider), you may have a rescue system, so you can 
boot it and chroot yourself to access the system. Or, in some cases, you 
can have a KVM-over-IP access, so you can boot into single user mode.


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: PASSWORD LOST!!

[Olivier Nicole]

> > > If you have physical access to the server, just reboot it in single user
> > mode,
> > > and change the password. You might need to forcibly power it off. It is
> > all
> > > covered in the handbook. If you don't have physical access,  I think you
> > may
> > > be out of luck...
> > >
> >
> > May be out of luck? I would hope he is totally out of luck without
> > physical access, if
> > you get my drift!
> >
> > Hope you do have physical access Eric
> >
> May not be out of luck depending on if the machine has had the last couple
> of years worth of updates. I'm guessing not if nobody has the root password
> and the persom who had set it up in the first place has been MIA for who
> knows how long.

I was thinking along the same lines, but at same time Eric didn't know
about booting to single user, so would he be able to remotely hack
into his own system?

Olivier
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: PASSWORD LOST!!

[Liontaur]

On Tue, Feb 9, 2010 at 11:44 AM, Chris Rees  wrote:

> On 9 February 2010 15:59, Mike Jeays  wrote:
>
> >
> > If you have physical access to the server, just reboot it in single user
> mode,
> > and change the password. You might need to forcibly power it off. It is
> all
> > covered in the handbook. If you don't have physical access,  I think you
> may
> > be out of luck...
> >
>
> May be out of luck? I would hope he is totally out of luck without
> physical access, if
> you get my drift!
>
> Hope you do have physical access Eric
>
> Chris
>
>
May not be out of luck depending on if the machine has had the last couple
of years worth of updates. I'm guessing not if nobody has the root password
and the persom who had set it up in the first place has been MIA for who
knows how long.

Mark
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: PASSWORD LOST!!

[Chris Rees]

On 9 February 2010 15:59, Mike Jeays  wrote:
> On February 8, 2010 01:53:22 pm Eric Petersen wrote:
>> Hey guys,
>>
>> I have a web/ftp server loaded with FreeBSD. This was done a couple
>> of years back. Since then the person or persons that did the original
>> install have gone out of business and cannot be found.
>>
>> Currently I have an issue logging into the ftp. I hooked a monitor up
>> to the server and I'm getting "filesystem full" errors and since I
>> don't have a password to get in I cannot have it fixed by someone
>> that knows UNIX. I have made numerous attempts to contact the person
>> that installed on a personal level. But I'm getting the impression he
>> has moved with no forwarding.
>>
>> I you have need for more information I will supply it. I just don't
>> know where to start. Our company's ftp is down and doesn't look like
>> it will return anytime soon with out further assistance.
>>
>> Thank you for your time and have a great day.
>>
>> --
>> Eric Petersen
>
> If you have physical access to the server, just reboot it in single user mode,
> and change the password. You might need to forcibly power it off. It is all
> covered in the handbook. If you don't have physical access,  I think you may
> be out of luck...
>

May be out of luck? I would hope he is totally out of luck without
physical access, if
you get my drift!

Hope you do have physical access Eric

Chris
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: PASSWORD LOST!!

[Mike Jeays]

On February 8, 2010 01:53:22 pm Eric Petersen wrote:
> Hey guys,
>
> I have a web/ftp server loaded with FreeBSD. This was done a couple
> of years back. Since then the person or persons that did the original
> install have gone out of business and cannot be found.
>
> Currently I have an issue logging into the ftp. I hooked a monitor up
> to the server and I'm getting "filesystem full" errors and since I
> don't have a password to get in I cannot have it fixed by someone
> that knows UNIX. I have made numerous attempts to contact the person
> that installed on a personal level. But I'm getting the impression he
> has moved with no forwarding.
>
> I you have need for more information I will supply it. I just don't
> know where to start. Our company's ftp is down and doesn't look like
> it will return anytime soon with out further assistance.
>
> Thank you for your time and have a great day.
>
> --
> Eric Petersen
> Pre-Press Technician
> Anderson Brothers Printing Company
> 4525 41st Street
> Sioux City, Iowa 51108
> phone: 712.239.
> fax: 712.239.3322
> e-mail: er...@andersonbrothers.biz
>
>
>
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscr...@freebsd.org"

If you have physical access to the server, just reboot it in single user mode, 
and change the password. You might need to forcibly power it off. It is all 
covered in the handbook. If you don't have physical access,  I think you may 
be out of luck...

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: PASSWORD LOST!!

[Paul Schmehl]

--On February 8, 2010 12:53:22 PM -0600 Eric Petersen 
 wrote:



Hey guys,

I have a web/ftp server loaded with FreeBSD. This was done a couple of
years back. Since then the person or persons that did the original
install have gone out of business and cannot be found.

Currently I have an issue logging into the ftp. I hooked a monitor up to
the server and I'm getting "filesystem full" errors and since I don't
have a password to get in I cannot have it fixed by someone that knows
UNIX. I have made numerous attempts to contact the person that installed
on a personal level. But I'm getting the impression he has moved with no
forwarding.



Without a password, you need physical access to the server in order to fix 
the problem.  It sounds like you have that, since you said you hooked up a 
monitor to it.


Here's the steps you can take to "retrieve" the password.

Shut the server down by hitting the power button.  Then turn it back on 
and watch the prompts when it's booting up.  Chose single user mode.  Then 
follow these steps:


# The system will print out "Enter full pathname of shell or RETURN for 
/bin/sh:"

# Hit enter to get a prompt
# Type fsck -p
# Type mount -a
# Type passwd
You'll be prompted for the password twice.  This is the root password, so 
it will give you full access to the system.
# Type exit to return to normal operation.  Write the password down and 
lock it up in the company safe.


Surely you have professional Unix support available in Sioux City?

Paul Schmehl, If it isn't already
obvious, my opinions are my own
and not those of my employer.
**
WARNING: Check the headers before replying

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: PASSWORD LOST!!

[J65nko]

On Mon, Feb 8, 2010 at 7:53 PM, Eric Petersen
 wrote:
> Hey guys,
>
> I have a web/ftp server loaded with FreeBSD. This was done a couple of years
> back. Since then the person or persons that did the original install have
> gone out of business and cannot be found.
>
> Currently I have an issue logging into the ftp. I hooked a monitor up to the
> server and I'm getting "filesystem full" errors and since I don't have a
> password to get in I cannot have it fixed by someone that knows UNIX. I have
> made numerous attempts to contact the person that installed on a personal
> level. But I'm getting the impression he has moved with no forwarding.
>
> I you have need for more information I will supply it. I just don't know
> where to start. Our company's ftp is down and doesn't look like it will
> return anytime soon with out further assistance.
>
> Thank you for your time and have a great day.
>

Read 
http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/admin.html#FORGOT-ROOT-PW
how to become root or the superuser.

It could be wise to hire somebody to fix the problem.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: PASSWORD LOST!!

[Olivier Nicole]

> I have a web/ftp server loaded with FreeBSD. This was done a couple  
> of years back. Since then the person or persons that did the original  
> install have gone out of business and cannot be found.

Have you tried booting in single user mode?

Olivier 
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: password X GDM

[Matthew Donovan]

On Sat, Jun 07, 2008 at 12:20:46PM -0500, luizbcampos wrote:
> After I had installed FreeBSD-7.0-R and enabled "gdm" in
> /etc/rc.conf, the system freezes when I try to enter gnome interface
> through GDM. When I type my blank password, the script fails to go on
I believe gdm/kdm/xdm hates blank passwords just as the system hates it 



 


pgp7ADONKJqSM.pgp
Description: PGP signature

Re: Password file migration help

[Mel]

On Wednesday 30 January 2008 20:26:20 Vince wrote:
> Sean Murphy wrote:
> > I have a FreeBSD 5.4 system and would like to migrate users in the
> > password file with UIDs 3000 through 5000 to a FreeBSD 6.3 system on a
> > running on a separate box.  Is there a way to export just those users?
>
> hmm very roughly just a
> for uid in $(jot 2001 3000); do grep $uid /etc/master.passwd >
> accountstokeep.txt ; done

That's a bit loose, and forgot a dash. The following should really only get 
the uid's (not the gids, parts of a password, comments and what not):
for uid in $(jot - 2001 3000); do \
grep -E "^[^:]+:[^:]+:$uid:" /etc/master.passwd;
done

This doesn't migrate home dirs, but using the above and piping to:
cut -f 9 -d ':'
should give you a list of home dirs to work with.
-- 
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password file migration help

[Kemian Dang]

Sean Murphy 写道:
I have a FreeBSD 5.4 system and would like to migrate users in the 
password file with UIDs 3000 through 5000 to a FreeBSD 6.3 system on a 
running on a separate box. Is there a way to export just those users?


Thanks
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
"[EMAIL PROTECTED]"

awk -F: '{if($4 > 3000) if($4 < 5000) print $0}' /etc/master.passwd

You should do it as root.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password file migration help

[Jonathan McKeown]

On Wednesday 30 January 2008 21:03, Sean Murphy wrote:
> I have a FreeBSD 5.4 system and would like to migrate users in the
> password file with UIDs 3000 through 5000 to a FreeBSD 6.3 system on a
> running on a separate box.  Is there a way to export just those users?

I'd probably sort /etc/master.passwd and pipe through awk:

sort -t ':' -k3,3n /etc/master.passwd | \
  awk -F ':' '$3 ~ /^3[0-9][0-9][0-9]/, $3 ~ /^5/ { print }'

This will sort /etc/master.passwd numerically on the third field, uid, and
then give you all the lines starting with the first one where the uid is a
3 followed by at least three digits, up to and including the first one after
that where the first digit of the uid is a 5.

If you capture the output you should be able to merge it on the new host.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password file migration help

[Vince]

Sean Murphy wrote:
I have a FreeBSD 5.4 system and would like to migrate users in the 
password file with UIDs 3000 through 5000 to a FreeBSD 6.3 system on a 
running on a separate box.  Is there a way to export just those users?



hmm very roughly just a
for uid in $(jot 2001 3000); do grep $uid /etc/master.passwd > 
accountstokeep.txt ; done
should extract the accounts from the old server (no error checking 
though so if any other account has a gid in the range 3000 to 5000 it 
will also be caught.


Then in theory
cat accountstokeep.txt >> /etc/master.passwd
followed by
pwd_mkdb -p /etc/master.passwd
should be enough.

Again care should be taken that there are no conflicting accounts 
already in the /etc/master.passwd file.

(a quick
for uid in $(jot 2001 3000); do grep $uid /etc/master.passwd ; done
on the new machine before adding to it should give you a quick check.)

dont forget to ensure shells and home directories are available as needed


Vince


Thanks
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
"[EMAIL PROTECTED]"


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password file migration help

[Paul A. Procacci]

Sean Murphy wrote:
I have a FreeBSD 5.4 system and would like to migrate users in the 
password file with UIDs 3000 through 5000 to a FreeBSD 6.3 system on a 
running on a separate box.  Is there a way to export just those users?


Thanks
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
"[EMAIL PROTECTED]"
Open vi/vim/etc on both machines via `vipw`, and copy 'n' paste.  Repeat 
for the group file in necessary.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: password failure- after mergmaster

[Peter Boosten]

David Kelly wrote:
> On Mon, Jul 09, 2007 at 01:29:44PM -0700, Chuck Swiger wrote:
>> On Jul 9, 2007, at 1:25 PM, Peter Boosten wrote:
>>> Having read this I must admit that it's a complete mystery to me why
>>> mergemaster would touch your password file at all...
>> Because sometimes new versions of the OS come with new built-in user  
>> accounts, which need to be added to the existing passwd or groups  
>> databases somehow?
> 
> Yes, exactly. Have to *merge* the changes into /etc/master.passwd rather
> than brute force overwrite.
> 

Thanks David, that's indeed my point: FreeBSD comes packed with tools,
among them are tools to create (or to delete) user accounts. Those tools
can easily be scripted.

Peter
-- 
http://www.boosten.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: password failure- after mergmaster

[Jean-Paul Natola]

On 09/07/07, Jean-Paul Natola <[EMAIL PROTECTED]> wrote:
>
>
> On Mon, Jul 09, 2007 at 01:29:44PM -0700, Chuck Swiger wrote:
> > On Jul 9, 2007, at 1:25 PM, Peter Boosten wrote:
> > >
> > >Having read this I must admit that it's a complete mystery to me why
> > >mergemaster would touch your password file at all...
> >
> > Because sometimes new versions of the OS come with new built-in user
> > accounts, which need to be added to the existing passwd or groups
> > databases somehow?
>
> Yes, exactly. Have to *merge* the changes into /etc/master.passwd rather
> than brute force overwrite.
>
> Notice the difference from my first post in this thread, the file which
> was clobbered is /etc/master.passwd, not just /etc/passwd which is a
> dummy
>
>
> I'M DONE now- now I cant even boot into safe or single user mode
>
> It keeps asking me to enter full pathname of  shell or RETURN  for /bin/sh
>
> I hit enter and I see the same message again , and again , and again and
> again

Try typing /rescue/sh

-- 
--

I'll try that in the am-  I am just about finished configuring a new server (
well a replacement  drive in the box)- since I have all my important info; 
Config files cf files etc.. saved, I should be done  pretty soon.

But I will definitely try your method just to satisfy my curiosity


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: password failure- after mergmaster

[[EMAIL PROTECTED]]

On 09/07/07, Jean-Paul Natola <[EMAIL PROTECTED]> wrote:



On Mon, Jul 09, 2007 at 01:29:44PM -0700, Chuck Swiger wrote:
> On Jul 9, 2007, at 1:25 PM, Peter Boosten wrote:
> >
> >Having read this I must admit that it's a complete mystery to me why
> >mergemaster would touch your password file at all...
>
> Because sometimes new versions of the OS come with new built-in user
> accounts, which need to be added to the existing passwd or groups
> databases somehow?

Yes, exactly. Have to *merge* the changes into /etc/master.passwd rather
than brute force overwrite.

Notice the difference from my first post in this thread, the file which
was clobbered is /etc/master.passwd, not just /etc/passwd which is a
dummy


I'M DONE now- now I cant even boot into safe or single user mode

It keeps asking me to enter full pathname of  shell or RETURN  for /bin/sh

I hit enter and I see the same message again , and again , and again and
again


Try typing /rescue/sh

--
--
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: password failure- after mergmaster

[Chuck Swiger]

On Jul 9, 2007, at 2:44 PM, Jean-Paul Natola wrote:

Because sometimes new versions of the OS come with new built-in user
accounts, which need to be added to the existing passwd or groups
databases somehow?


Yes, exactly. Have to *merge* the changes into /etc/master.passwd  
rather

than brute force overwrite.

Notice the difference from my first post in this thread, the file  
which

was clobbered is /etc/master.passwd, not just /etc/passwd which is a
dummy


I'M DONE now- now I cant even boot into safe or single user mode

It keeps asking me to enter full pathname of  shell or RETURN  for / 
bin/sh


I hit enter and I see the same message again , and again , and  
again and again


I have two thoughts for you:

One, FreeBSD should be a little easier to update, as the instructions  
for doing so are mildly complicated and are buried too far within the  
UPDATING document.


Two, you really should learn how to perform an update and/or recover  
from system problems if it doesn't boot by working on a test system  
first, and only making significant changes to a production system  
once you've gotten confident you know what you are doing.  Failing  
that, perhaps you ought to hire a sysadmin or consultant with decent  
BSD experience, and let them solve the issues so that you can focus  
on other things


--
-Chuck

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: password failure- after mergmaster

[Jean-Paul Natola]

On Mon, Jul 09, 2007 at 01:29:44PM -0700, Chuck Swiger wrote:
> On Jul 9, 2007, at 1:25 PM, Peter Boosten wrote:
> >
> >Having read this I must admit that it's a complete mystery to me why
> >mergemaster would touch your password file at all...
> 
> Because sometimes new versions of the OS come with new built-in user  
> accounts, which need to be added to the existing passwd or groups  
> databases somehow?

Yes, exactly. Have to *merge* the changes into /etc/master.passwd rather
than brute force overwrite.

Notice the difference from my first post in this thread, the file which
was clobbered is /etc/master.passwd, not just /etc/passwd which is a
dummy 


I'M DONE now- now I cant even boot into safe or single user mode

It keeps asking me to enter full pathname of  shell or RETURN  for /bin/sh

I hit enter and I see the same message again , and again , and again and
again


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: password failure- after mergmaster

[David Kelly]

On Mon, Jul 09, 2007 at 01:29:44PM -0700, Chuck Swiger wrote:
> On Jul 9, 2007, at 1:25 PM, Peter Boosten wrote:
> >
> >Having read this I must admit that it's a complete mystery to me why
> >mergemaster would touch your password file at all...
> 
> Because sometimes new versions of the OS come with new built-in user  
> accounts, which need to be added to the existing passwd or groups  
> databases somehow?

Yes, exactly. Have to *merge* the changes into /etc/master.passwd rather
than brute force overwrite.

Notice the difference from my first post in this thread, the file which
was clobbered is /etc/master.passwd, not just /etc/passwd which is a
dummy file generated from master.passwd.

In single user he can "mount -a" to get all the filesystems mounted
read/write, then extract /etc/master.passwd file from his level 0 dump.
But once again it needs to be diff'ed against the "new" version written
by mergemaster to see why mergemaster changed it.

Then the password databases need to be rebuilt. The easiest way (and
only way I remember without manpage surfing) is to run vipw and
trivially change the master password file. On exit vipw rebuilds the
password databases with pwd_mkdb(8) (I had to look that up).

-- 
David Kelly N4HHE, [EMAIL PROTECTED]

Whom computers would destroy, they must first drive mad.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: password failure- after mergmaster

[Matthew Seaman]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

David Kelly wrote:
> On Mon, Jul 09, 2007 at 04:06:01PM -0400, Jean-Paul Natola wrote:
>> OOOPSS-
>>
>> I got mergemaster to run- but now that the system restarted the root password
>> and my password are invalid-
>>
>> I can ONLY start in single user mode-
> 
> You let mergemaster clobber the password file.
> 
> So in single user, "mount -a", then use vipw to recreate your accounts
> in the password database. On exit from vipw use passwd to set the
> passwords. 
> 

Note that there will be a backup copy of the master.passwd file in
/var/backups/master.passwd.bak -- the will be possibly more than one
backup copy in that directory.  These are created by the nightly
periodic script:

/etc/periodic/daily/200.backup-passwd

which is enabled by default. As these run overnight the backed-up
copy should pre-date your adventures with mergemaster.  Verify that
the contents are sensible, then copy it back to /etc/master.passwd
and run pwd_mkdb(8) to generate /etc/passwd and /etc/pwd.db from it.

Cheers,

Matthew

- --
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
  Kent, CT11 9PW
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGkqhX8Mjk52CukIwRCFanAKCF+mkgAZoNVE1fbjHU3HrC/LQIsACfU5tz
wb0lxphVnCmkHb7Zd79npFc=
=w67I
-END PGP SIGNATURE-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: password failure- after mergmaster

[Peter Boosten]

David Kelly wrote:
> On Mon, Jul 09, 2007 at 04:06:01PM -0400, Jean-Paul Natola wrote:
>> OOOPSS-
>>
>> I got mergemaster to run- but now that the system restarted the root password
>> and my password are invalid-
>>
>> I can ONLY start in single user mode-
> 
> You let mergemaster clobber the password file.
> 
> So in single user, "mount -a", then use vipw to recreate your accounts
> in the password database. On exit from vipw use passwd to set the
> passwords. 
> 

Having read this I must admit that it's a complete mystery to me why
mergemaster would touch your password file at all...

/me puzzled...

Peter
-- 
http://www.boosten.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: password failure- after mergmaster

[Derek Ragona]

At 03:06 PM 7/9/2007, Jean-Paul Natola wrote:

OOOPSS-

I got mergemaster to run- but now that the system restarted the root password
and my password are invalid-

I can ONLY start in single user mode-

I still do have level 0 dump of 5.4  on my network is this my only option



This really sounds like you did an upgrade that went bad.  If you did 
upgrade you can do a restore from your dump, and try again.  Or just check 
or reset the root password in single user.


What error are you getting going into multi-user?

-Derek
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: password failure- after mergmaster

[Chuck Swiger]

On Jul 9, 2007, at 1:25 PM, Peter Boosten wrote:

You let mergemaster clobber the password file.

So in single user, "mount -a", then use vipw to recreate your  
accounts

in the password database. On exit from vipw use passwd to set the
passwords.


Having read this I must admit that it's a complete mystery to me why
mergemaster would touch your password file at all...


Because sometimes new versions of the OS come with new built-in user  
accounts, which need to be added to the existing passwd or groups  
databases somehow?


--
-Chuck
 
___

freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: password failure- after mergmaster

[David Kelly]

On Mon, Jul 09, 2007 at 04:06:01PM -0400, Jean-Paul Natola wrote:
> OOOPSS-
> 
> I got mergemaster to run- but now that the system restarted the root password
> and my password are invalid-
> 
> I can ONLY start in single user mode-

You let mergemaster clobber the password file.

So in single user, "mount -a", then use vipw to recreate your accounts
in the password database. On exit from vipw use passwd to set the
passwords. 

-- 
David Kelly N4HHE, [EMAIL PROTECTED]

Whom computers would destroy, they must first drive mad.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: password failure- after mergmaster

[John Nielsen]

On Monday 09 July 2007 04:06:01 pm Jean-Paul Natola wrote:
> OOOPSS-
>
> I got mergemaster to run- but now that the system restarted the root
> password and my password are invalid-
>
> I can ONLY start in single user mode-
>
> I still do have level 0 dump of 5.4  on my network is this my only option
> ?

It's always wise to back up /etc before running mergemaster to cover just this 
type of mistake. In this case I'm guessing you replaced 
your /etc/master.passwd with the default one.

From single-user mode, set the root password using the "passwd" utility.

You will probably need to re-add your user account and any others that aren't 
part of the system default. I would grab /etc/master.passwd from your backup 
and do a line-by-line comparison with the file currently installed on your 
system. When re-adding users, be sure to use the same UID's and GID's so that 
file permissions will be correct. See man pw for details.

Alternatively, you could replace /etc/master.passwd with the copy from your 
backup and run mergemaster again. This time pay attention and actually merge 
the file.

JN
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: password againg and other policy enforcement

[Eygene Ryabinkin]

Me again.  Forgot to finish the sentence, sorry.

Sat, Jun 30, 2007 at 11:59:49PM +0400, Eygene Ryabinkin wrote:
> > 1. Administrator can enforce password expire in /etc/login.conf
> 
> In the /etc/master.passwd. login.conf has the fields, but does
> not implement the functionality, if the manpage is right:
> =
> RESERVED CAPABILITIES
>  The following capabilities are reserved for the purposes indicated and
>  may be supported by third-party software.  They are not implemented in
>  the base system.
> 
>  Name  Type  Notes Description
> <...>
>  expireperiod  timeTime for expiry allocation.
>  graceexpire   timeGrace days for expired account.
> =
> But the following fields are working:
=
 warnexpire   timeAdvance notice for pending account
  expiry.
 warnpassword timeAdvance notice for pending password
  expiry.
=
So this can provide some warnings to the user when it logs in.
-- 
Eygene
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: password againg and other policy enforcement

[Eygene Ryabinkin]

Patrick, good day.

Sat, Jun 30, 2007 at 10:12:59AM -0700, Patrick Dung wrote:
> 1. Administrator can enforce password expire in /etc/login.conf

In the /etc/master.passwd. login.conf has the fields, but does
not implement the functionality, if the manpage is right:
=
RESERVED CAPABILITIES
 The following capabilities are reserved for the purposes indicated and
 may be supported by third-party software.  They are not implemented in
 the base system.

 Name  Type  Notes Description
<...>
 expireperiod  timeTime for expiry allocation.
 graceexpire   timeGrace days for expired account.
=
But the following fields are working:

> Is there any tool that can check when the password will expire for the
> users?

Yep,
=
$ LANG=C date -r `pw showuser  | cut -d: -f 6`
Tue Jan 20 00:00:00 MSK 2009

$ LANG=C date -r `pw showuser  | cut -d: -f 7`
Sat Feb 28 00:00:00 MSK 2009


> 2. Any good way to enforce minimum password length and other
> restriction(like password need at least 2 numbers, 2 special char)?
> 
> 3. Any ways to prevent user reuse old password?

man pam_passwdqc, search for the 'match' and 'similar'.

But for the '3.': user still can change his password to something
and immediately bounce back to the old password.  The longer password
history changes the chain length, but does not solve the problem
completely.  The complete password history can help, but it is out
of the passwdqc's scope: it just checks against the current password.
-- 
Eygene
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: password againg and other policy enforcement

[Patrick Dung]

Thanks for reply.

pam_passwdqc has feature to enforce min password length, and the
combination. Also it can check the similarity with the current and new
password.

But tools to check when users password will expire is missing.
Also it cannot keep password history (password that the user had used).
The user can use password A, then user change to password B and then
change back to password A...

Regards
Patrick

--- Manolis Kiagias <[EMAIL PROTECTED]> wrote:

> Patrick Dung wrote:
> > I have some question about password policy in FreeBSD:
> >
> > 1. Administrator can enforce password expire in /etc/login.conf
> > Is there any tool that can check when the password will expire for
> the
> > users?
> >
> > 2. Any good way to enforce minimum password length and other
> > restriction(like password need at least 2 numbers, 2 special char)?
> >
> > 3. Any ways to prevent user reuse old password?
> >
> > Regards
> > Patrick
> >   
> These options have been moved to PAM (Pluggable Authentication
> Modules).
> Have a look at /etc/pam.d
> You will find a file called passwd
> Edit it and uncomment the line:
> 
> passwordrequisite   pam_passwdqc.so
> 
> Change the options you require per the manual page
> 
> (man 8 pam_passwdqc)
> 
> A lot of restrictions can be placed on the password (history,
> complexity, number of chars / symbols and so on).
> 
> Manolis
> 
> 



   
Ready
 for the edge of your seat? 
Check out tonight's top picks on Yahoo! TV. 
http://tv.yahoo.com/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: password againg and other policy enforcement

[Manolis Kiagias]

Patrick Dung wrote:
> I have some question about password policy in FreeBSD:
>
> 1. Administrator can enforce password expire in /etc/login.conf
> Is there any tool that can check when the password will expire for the
> users?
>
> 2. Any good way to enforce minimum password length and other
> restriction(like password need at least 2 numbers, 2 special char)?
>
> 3. Any ways to prevent user reuse old password?
>
> Regards
> Patrick
>   
These options have been moved to PAM (Pluggable Authentication Modules).
Have a look at /etc/pam.d
You will find a file called passwd
Edit it and uncomment the line:

passwordrequisite   pam_passwdqc.so

Change the options you require per the manual page

(man 8 pam_passwdqc)

A lot of restrictions can be placed on the password (history,
complexity, number of chars / symbols and so on).

Manolis

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: password file migration

[Ofloo]

I did the same thing a long time ago and i just created used pwd_mkdb, and it
worked fine.

Though i'm not entirely sure what this has to do with this topic.


Mark Messier wrote:
> 
> 
> I know this has been covered before, but the search mechanism
> at the mailing list archive doesn't seem to work (zero matches for
> the word: password).
> 
> I've got a 5.3 system and a 6.2 system.  I want to migrate the user
> accounts from the 5.3 to the 6.2.  They use different encryption
> mechanisms for the password in master.password.
> 
> Other that running a cracker, is there a way to upconvert the
> old to the new?
> 
> Thanks,
> -mark
> 
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[EMAIL PROTECTED]"
> 
> 

-- 
View this message in context: 
http://www.nabble.com/6to4-IPv6-problems-FreeBSD-6.2-p4-tf3829352.html#a11134620
Sent from the freebsd-questions mailing list archive at Nabble.com.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: password file migration

[Garrett Cooper]

Ofloo wrote:

I did the same thing a long time ago and i just created used pwd_mkdb, and it
worked fine.

Though i'm not entirely sure what this has to do with this topic.


Mark Messier wrote:
  

I know this has been covered before, but the search mechanism
at the mailing list archive doesn't seem to work (zero matches for
the word: password).

I've got a 5.3 system and a 6.2 system.  I want to migrate the user
accounts from the 5.3 to the 6.2.  They use different encryption
mechanisms for the password in master.password.

Other that running a cracker, is there a way to upconvert the
old to the new?

Thanks,
-mark

   Simply running mergemaster (part of the recommended upgrade errata) 
should do the trick, as it will prompt you to execute some commands to 
'upgrade' the password database and other relevant databases.

-Garrett
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: password file migration

[Kris Kennaway]

On Thu, Jun 14, 2007 at 02:57:41PM -0700, Mark Messier wrote:
> 
> I know this has been covered before, but the search mechanism
> at the mailing list archive doesn't seem to work (zero matches for
> the word: password).
> 
> I've got a 5.3 system and a 6.2 system.  I want to migrate the user
> accounts from the 5.3 to the 6.2.  They use different encryption
> mechanisms for the password in master.password.
> 
> Other that running a cracker, is there a way to upconvert the
> old to the new?

They are backwards compatible formats, so why do you want to change?

If you are concerned that the old password hash is insecure (if it's
an ancient DES password, this is true), then you will need to generate
a new password for each affected account.  One way to do this is by
using password expiry to force a change on next user login (see
e.g. pw(8)).

Kris
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password on command line with SCP

[RW]

On Fri, 19 Jan 2007 22:38:44 -0800
"Don O'Neil" <[EMAIL PROTECTED]> wrote:

> 
> Is there any way to pass the password for an SCP command via the
> command line as a switch? I'd like to embed SCP in a script and pass
> the password once through a command line input from the master
> script... By defauly any time I use the -B mode it says passwords are
> required, and without -B it asks for the password after the command
> starts to execute.

Can you not just use:

   :@

in place of the hostname? 
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password on command line with SCP

[Dan Nelson]

In the last episode (Jan 20), Jeff Royle said:
> Don O'Neil wrote:
> > Is there any way to pass the password for an SCP command via the
> > command line as a switch? I'd like to embed SCP in a script and
> > pass the password once through a command line input from the master
> > script... By defauly any time I use the -B mode it says passwords
> > are required, and without -B it asks for the password after the
> > command starts to execute.
> 
> The only way I know of is to use keys for your authentication.
> 
> You then can use 'scp -B -i  file1 file2 ... example.com:.'

You can also use ports/lang/expect to script entering the password, but
it's more fragile than using keys.

-- 
Dan Nelson
[EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password on command line with SCP

[Jeff Royle]

Don O'Neil wrote:

Is there any way to pass the password for an SCP command via the command
line as a switch? I'd like to embed SCP in a script and pass the password
once through a command line input from the master script... By defauly any
time I use the -B mode it says passwords are required, and without -B it
asks for the password after the command starts to execute.

Thanks!

___


The only way I know of is to use keys for your authentication.

You then can use 'scp -B -i  file1 file2 ... example.com:.'

Hope that helps.

Cheers,

Jeff

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password Security

[VeeJay]

On 11/24/06, RW <[EMAIL PROTECTED]> wrote:


On Friday 24 November 2006 05:37, Norberto Meijome wrote:
> Precisely - MS makes a very strong (and valid) point of saying that once
> 'the bad guys' have physical access to your box, the machine is owned.
>
> The was a (very cool) presentation in Ruxcon (ruxcon.org) this year
about
> hacking into someone's machine via Firewire. And even if it was an
exploit,
> neither the researcher/hacker nor MS would consider it "security issue",
> because to use this FW attack you need physical access... ie, you've
lost
> the battle already, it's just a matter of picking your method of
breaking
> in.

I think that's  a bit complacent of MS, given that most instances of their
OS
don't run on servers.

If a desktop machine has encrypted partitions, it is protected against
someone
stealing it and breaking in at their convenience. Reading data from a
running
machine, shouldn't be as convenient and inconspicuous as plugging-in a
cable.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "
[EMAIL PROTECTED]"




But what about database encryption? Is it possible to encrypt mySQL database
and what is the best method to encrypt which does not affect the
performance?

--
Thanks!

BR / vj
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password Security

[RW]

On Friday 24 November 2006 05:37, Norberto Meijome wrote:
> Precisely - MS makes a very strong (and valid) point of saying that once
> 'the bad guys' have physical access to your box, the machine is owned.
>
> The was a (very cool) presentation in Ruxcon (ruxcon.org) this year about
> hacking into someone's machine via Firewire. And even if it was an exploit,
> neither the researcher/hacker nor MS would consider it "security issue",
> because to use this FW attack you need physical access... ie, you've lost
> the battle already, it's just a matter of picking your method of breaking
> in.

I think that's  a bit complacent of MS, given that most instances of their OS 
don't run on servers. 

If a desktop machine has encrypted partitions, it is protected against someone 
stealing it and breaking in at their convenience. Reading data from a running 
machine, shouldn't be as convenient and inconspicuous as plugging-in a cable.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password Security

[Norberto Meijome]

On Thu, 23 Nov 2006 08:25:20 -0500
Bill Moran <[EMAIL PROTECTED]> wrote:

> >  So, does it mean that Windows 2003 Server provides more Password Level
> > Security with Unauthorized Access?  
> 
> Where is this presumption coming from?  Windows OS suffer from the same
> difficulty protecting from physical intrusion that any other OS does.

Precisely - MS makes a very strong (and valid) point of saying that once 'the
bad guys' have physical access to your box, the machine is owned.

The was a (very cool) presentation in Ruxcon (ruxcon.org) this year about
hacking into someone's machine via Firewire. And even if it was an exploit,
neither the researcher/hacker nor MS would consider it "security issue", because
to use this FW attack you need physical access... ie, you've lost the battle
already, it's just a matter of picking your method of breaking in.

In short, secure the box both physically and network / services-wise as much as
possible.

Best,
_
{Beto|Norberto|Numard} Meijome

UFOs are for real: the Air Force doesn't exist.

I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
Warned.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password Security

[Olivier Nicole]

> 1. Password on BIOS

Knowing that it is enought to remove the battery in order to remove
the BIOS password.

> 2. Change the order of booting i.e. When system is installed and working
> once, then I just the change the Booting FIRST from HardDisk.

You can also consider to remove the CD and floppy drives. Modern
machines can boot from USB CD when needed.

> 3. Put the password on Single User mode.

Right.

4. Encrypt your hard disk. 

Olivier
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password Security

[Joerg Pernfuss]

On Thu, 23 Nov 2006 17:47:26 -0500
Bill Moran <[EMAIL PROTECTED]> wrote:

> > Well, I am not an expert on FreeBSD. And thats why I don't know
> > that how it works that
> > 
> > If 4 Disks of same size for example 146GB each and they are
> > configured with RAID 10, and Root, SWAP, /usr, /var File systems
> > have been created on them. And if one takes one or two harddisks
> > and how come he would be able to read the data when data is splited
> > on 4 disks?
> 
> Your logic escapes me.  If someone were to physically break in to the
> machine to steal your data, why would they only take some of the
> drives?

And to add to it, just in case this comes up next:

if the drives are attached to some kind of external controller, of
course one takes that too.
Even easier if you steal a geom based software-raid10. just put the
drives into a freebsd box and the volume appears (if glabel is also used).
Otherwise you'll have to do some juggling, but surely no rocket sience.


-- 
| /"\   ASCII ribbon   |  GnuPG Key ID | e86d b753 3deb e749 6c3a |
| \ / campaign against |0xbbcaad24 | 5706 1f7d 6cfd bbca ad24 |
|  XHTML in email  |.the next sentence is true.   |
| / \ and news | .the previous sentence was a lie.|


signature.asc
Description: PGP signature

Re: Password Security

[Bill Moran]

On Thu, 23 Nov 2006 23:08:18 +0100
VeeJay <[EMAIL PROTECTED]> wrote:

> On 11/23/06, Bill Moran <[EMAIL PROTECTED]> wrote:
> >
> > On Thu, 23 Nov 2006 10:45:19 +0100
> > VeeJay <[EMAIL PROTECTED]> wrote:
> >
> > > On 11/23/06, Olivier Nicole <[EMAIL PROTECTED]> wrote:
> > > >
> > > > > And how can one into the System by booting from a CD if it still
> > > > > requires the Password even in Single User mode?
> > > >
> > > > Booting from CD, floppy or hard disk is slected at BIOS level.
> > > >
> > > > Booting in single or multi user mode is at Operating system level.
> > > >
> > > > Booting is in the following order:
> > > >
> > > > 1) BIOS select what medium to boot from
> > > >
> > > > 2) the operating system boot from the selected medium
> > > >
> > > > So when it comes to the Single user password, itis already at stage 2)
> > > > it has passed the stage 1 (booting from hard disk ofr CD) without
> > > > password.
> > > >
> > > > Olivier
> > > >
> > >
> > > So, it means, that I should take the following steps
> > >
> > > 1. Password on BIOS
> > > 2. Change the order of booting i.e. When system is installed and working
> > > once, then I just the change the Booting FIRST from HardDisk.
> > > 3. Put the password on Single User mode.
> > >
> > > So, what more? Do you people think that I have got somehow security
> > barrier
> > > for unauthorized access?
> >
> > Physically _LOCK_ the server up.  Anyone who can get physical access to
> > the
> > unit can remove the drive and access it from another machine, bypassing
> > all
> > this stuff.
> >
> > Another option is to encrypt the hard drives, but this will require you
> > (or
> > someone else) to enter the password for the encrypted drives every time
> > the
> > system boots up, so it's generally a maintenance nightmare.
> >
> 
> 
> Well, I am not an expert on FreeBSD. And thats why I don't know that how it
> works that
> 
> If 4 Disks of same size for example 146GB each and they are configured with
> RAID 10, and Root, SWAP, /usr, /var File systems have been created on them.
> And if one takes one or two harddisks and how come he would be able to read
> the data when data is splited on 4 disks?

Your logic escapes me.  If someone were to physically break in to the machine
to steal your data, why would they only take some of the drives?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

How RAID 10 works (was: Re: Password Security)

[N.J. Mann]

PMFJI

On Thu 23 Nov 23:08, VeeJay wrote:
> Well, I am not an expert on FreeBSD. And thats why I don't know that how it
> works that
> 
> If 4 Disks of same size for example 146GB each and they are configured with
> RAID 10, and Root, SWAP, /usr, /var File systems have been created on them.
> And if one takes one or two harddisks and how come he would be able to read
> the data when data is splited on 4 disks?

With a four disk RAID 10 array you would need two (or more) drives and
it would have to be the right two in order to read _all_ of the data.
See:

http://www.techtutorials.net/tutorials/hardware/raid.shtml

RAID 10 is near the bottom.


Cheers,
   Nick.
-- 
"Elves are wonderful. They provoke wonder.
Elves are marvellous.  They provoke marvels.
Elves are fantastic.  They create fantasies.
Elves are glamorous.  They project glamour.
Elves are enchanting.  They weave enchantment.
Elves are terrific.  They beget terror.
No-one ever said elves are _nice_.
Elves are _bad_."
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password Security

[VeeJay]

On 11/23/06, Bill Moran <[EMAIL PROTECTED]> wrote:


On Thu, 23 Nov 2006 10:45:19 +0100
VeeJay <[EMAIL PROTECTED]> wrote:

> On 11/23/06, Olivier Nicole <[EMAIL PROTECTED]> wrote:
> >
> > > And how can one into the System by booting from a CD if it still
> > > requires the Password even in Single User mode?
> >
> > Booting from CD, floppy or hard disk is slected at BIOS level.
> >
> > Booting in single or multi user mode is at Operating system level.
> >
> > Booting is in the following order:
> >
> > 1) BIOS select what medium to boot from
> >
> > 2) the operating system boot from the selected medium
> >
> > So when it comes to the Single user password, itis already at stage 2)
> > it has passed the stage 1 (booting from hard disk ofr CD) without
> > password.
> >
> > Olivier
> >
>
> So, it means, that I should take the following steps
>
> 1. Password on BIOS
> 2. Change the order of booting i.e. When system is installed and working
> once, then I just the change the Booting FIRST from HardDisk.
> 3. Put the password on Single User mode.
>
> So, what more? Do you people think that I have got somehow security
barrier
> for unauthorized access?

Physically _LOCK_ the server up.  Anyone who can get physical access to
the
unit can remove the drive and access it from another machine, bypassing
all
this stuff.

Another option is to encrypt the hard drives, but this will require you
(or
someone else) to enter the password for the encrypted drives every time
the
system boots up, so it's generally a maintenance nightmare.




Well, I am not an expert on FreeBSD. And thats why I don't know that how it
works that

If 4 Disks of same size for example 146GB each and they are configured with
RAID 10, and Root, SWAP, /usr, /var File systems have been created on them.
And if one takes one or two harddisks and how come he would be able to read
the data when data is splited on 4 disks?
--
Thanks!

BR / vj
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password Security

[Christian Walther]

Being able to Kensington lock the machine so that it can't be opened
(thinking of Dells), you can prevent physical access to a large
degree (only have to worry about people that can screw up the lock),
and prevent people from taking the drive OR resetting the CMOS
jumper, giving people access to the BIOS without a password (one
thing that many people haven't mentioned about security so far).
-Garrett


Sorry to disappoint you, but Kensington locks can easily be unlocked,
using a toilet paper roll, pen, and tape. We tried this at work
because my collegue protected his flat screen with it, but forgot his
key at home on the day we moved to a new office. We needed a bit
longer, thou...

The video is wmv, but I didn't find a version in another format (but
mplayer can play it): http://www.toool.nl/kensington623.wmv

I wonder if the data on this machine is as sensitive as this thread
suggests it... ;)
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password Security

[Garrett Cooper]

On Nov 23, 2006, at 7:57 AM, Gregory Carvalho wrote:

You might consider a safe with A/C from Black Box. Expensive, but  
an option

for you.

On Tuesday 21 November 2006 19:41, VeeJay wrote:

Hi

I need to secure my data and server. Any advice will be highly  
appreciated.


I am going to place my FreeBSD server at a shared place?

I am just afraid that any unauthorized person might boot machine  
in single

user mode and steal the data?
How can I make my Server secure that if if boots in single user  
mode, it
still demands the password and without password one cannot do  
anything?
or make it possible that booting in Single user mode, doesn't  
provide any

shell?

Thanks in advance

 --

BR / vj
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"[EMAIL PROTECTED]"


Being able to Kensington lock the machine so that it can't be opened  
(thinking of Dells), you can prevent physical access to a large  
degree (only have to worry about people that can screw up the lock),  
and prevent people from taking the drive OR resetting the CMOS  
jumper, giving people access to the BIOS without a password (one  
thing that many people haven't mentioned about security so far).

-Garrett
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password Security

[Gregory Carvalho]

You might consider a safe with A/C from Black Box. Expensive, but an option 
for you.

On Tuesday 21 November 2006 19:41, VeeJay wrote:
> Hi
>
> I need to secure my data and server. Any advice will be highly appreciated.
>
> I am going to place my FreeBSD server at a shared place?
>
> I am just afraid that any unauthorized person might boot machine in single
> user mode and steal the data?
> How can I make my Server secure that if if boots in single user mode, it
> still demands the password and without password one cannot do anything?
> or make it possible that booting in Single user mode, doesn't provide any
> shell?
>
> Thanks in advance
>
>  --
>
> BR / vj
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[EMAIL PROTECTED]"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password Security

[Jerry McAllister]

On Thu, Nov 23, 2006 at 10:45:19AM +0100, VeeJay wrote:

> On 11/23/06, Olivier Nicole <[EMAIL PROTECTED]> wrote:
> >
> >> And how can one into the System by booting from a CD if it still
> >> requires the Password even in Single User mode?
> >
> >Booting from CD, floppy or hard disk is slected at BIOS level.
> >
> >Booting in single or multi user mode is at Operating system level.
> >
> >Booting is in the following order:
> >
> >1) BIOS select what medium to boot from
> >
> >2) the operating system boot from the selected medium
> >
> >So when it comes to the Single user password, itis already at stage 2)
> >it has passed the stage 1 (booting from hard disk ofr CD) without
> >password.
> >
> >Olivier
> >
> 
> So, it means, that I should take the following steps
> 
> 1. Password on BIOS
> 2. Change the order of booting i.e. When system is installed and working
> once, then I just the change the Booting FIRST from HardDisk.
> 3. Put the password on Single User mode.

As I said, you can beat that by removing the system battery or flash memory.

> 
> So, what more? Do you people think that I have got somehow security barrier
> for unauthorized access?

The only real security is to totally prevent access.   If that machine is
in a place where you do not trust those who can touch it, then it is
insecure.

jerry
> 
> 
> 
> -- 
> Thanks!
> 
> BR / vj
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password Security

[Jerry McAllister]

On Thu, Nov 23, 2006 at 09:56:23AM +0100, VeeJay wrote:

> So, does it mean that Windows 2003 Server provides more Password Level
> Security with Unauthorized Access?
> 
> And how can one into the System by booting from a CD if it still requires
> the Password even in Single User mode?

You just go to fixit mode - where you are running from the CD and not
the installed OS and then rewrite any file that limits your access
and then reboot again.

jerry

> 
> 
> 
> On 11/22/06, Jerry McAllister <[EMAIL PROTECTED]> wrote:
> >
> >On Wed, Nov 22, 2006 at 04:41:37AM +0100, VeeJay wrote:
> >
> >> Hi
> >>
> >> I need to secure my data and server. Any advice will be highly
> >appreciated.
> >>
> >> I am going to place my FreeBSD server at a shared place?
> >>
> >> I am just afraid that any unauthorized person might boot machine in
> >single
> >> user mode and steal the data?
> >> How can I make my Server secure that if if boots in single user mode, it
> >> still demands the password and without password one cannot do anything?
> >> or make it possible that booting in Single user mode, doesn't provide
> >any
> >> shell?
> >
> >Lock it in a box.   Anyone who can put their hands physically can
> >get in to the machine with a little tinkering even if you disable
> >lots of software.
> >
> >I think you can get rid of the single user option in the boot,
> >but anyone with a CD can defeat that if they want to.  It would
> >make things harder for yourself in managing the system, but it
> >would slow a person down from casual interference.
> >
> >Also, many machines have BIOS level boot passwords that can be turned
> >on.  Using that would slow a person down, but be annoying for youself,
> >especially in times such as power failures - the system would not come
> >back up automatically without someone entering the BIOS password.
> >
> >Plus, if a person is determined enough, they can defeat that as well
> >by removing the battery backup for the MB or the flash memory.   But,
> >it would stop casual tinkering.
> >
> >jerry
> >
> >>
> >> Thanks in advance
> >>
> >> --
> >>
> >> BR / vj
> >> ___
> >> freebsd-questions@freebsd.org mailing list
> >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> >> To unsubscribe, send any mail to "
> >[EMAIL PROTECTED]"
> >
> 
> 
> 
> -- 
> Thanks!
> 
> BR / vj
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password Security

[Michal Mertl]

VeeJay wrote:
> On 11/23/06, Olivier Nicole <[EMAIL PROTECTED]> wrote:
> >
> > > And how can one into the System by booting from a CD if it still
> > > requires the Password even in Single User mode?
> >
> > Booting from CD, floppy or hard disk is slected at BIOS level.
> >
> > Booting in single or multi user mode is at Operating system level.
> >
> > Booting is in the following order:
> >
> > 1) BIOS select what medium to boot from
> >
> > 2) the operating system boot from the selected medium
> >
> > So when it comes to the Single user password, itis already at stage 2)
> > it has passed the stage 1 (booting from hard disk ofr CD) without
> > password.
> >
> > Olivier
> >
> 
> So, it means, that I should take the following steps
> 
> 1. Password on BIOS
> 2. Change the order of booting i.e. When system is installed and working
> once, then I just the change the Booting FIRST from HardDisk.
> 3. Put the password on Single User mode.
> 
> So, what more? Do you people think that I have got somehow security barrier
> for unauthorized access?

Not much. Default FreeBSD install has two more places where one can
influence booting with console access - boot blocks and loader.

To disable the access to OK prompt of boot blocks create
file /boot.config with '-n'.

To disable access to loader put autoboot_delay="-1" and
beastie_disable=YES into /boot/loader.conf. You can also instead put
password=... into it and the loader will then require password to allow
access to it.

Michal

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password Security

[Bill Moran]

On Thu, 23 Nov 2006 09:56:23 +0100
VeeJay <[EMAIL PROTECTED]> wrote:

>  So, does it mean that Windows 2003 Server provides more Password Level
> Security with Unauthorized Access?

Where is this presumption coming from?  Windows OS suffer from the same 
difficulty
protecting from physical intrusion that any other OS does.

> And how can one into the System by booting from a CD if it still requires
> the Password even in Single User mode?
> 
> 
> 
> On 11/22/06, Jerry McAllister <[EMAIL PROTECTED]> wrote:
> >
> > On Wed, Nov 22, 2006 at 04:41:37AM +0100, VeeJay wrote:
> >
> > > Hi
> > >
> > > I need to secure my data and server. Any advice will be highly
> > appreciated.
> > >
> > > I am going to place my FreeBSD server at a shared place?
> > >
> > > I am just afraid that any unauthorized person might boot machine in
> > single
> > > user mode and steal the data?
> > > How can I make my Server secure that if if boots in single user mode, it
> > > still demands the password and without password one cannot do anything?
> > > or make it possible that booting in Single user mode, doesn't provide
> > any
> > > shell?
> >
> > Lock it in a box.   Anyone who can put their hands physically can
> > get in to the machine with a little tinkering even if you disable
> > lots of software.
> >
> > I think you can get rid of the single user option in the boot,
> > but anyone with a CD can defeat that if they want to.  It would
> > make things harder for yourself in managing the system, but it
> > would slow a person down from casual interference.
> >
> > Also, many machines have BIOS level boot passwords that can be turned
> > on.  Using that would slow a person down, but be annoying for youself,
> > especially in times such as power failures - the system would not come
> > back up automatically without someone entering the BIOS password.
> >
> > Plus, if a person is determined enough, they can defeat that as well
> > by removing the battery backup for the MB or the flash memory.   But,
> > it would stop casual tinkering.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password Security

[Bill Moran]

On Thu, 23 Nov 2006 10:45:19 +0100
VeeJay <[EMAIL PROTECTED]> wrote:

> On 11/23/06, Olivier Nicole <[EMAIL PROTECTED]> wrote:
> >
> > > And how can one into the System by booting from a CD if it still
> > > requires the Password even in Single User mode?
> >
> > Booting from CD, floppy or hard disk is slected at BIOS level.
> >
> > Booting in single or multi user mode is at Operating system level.
> >
> > Booting is in the following order:
> >
> > 1) BIOS select what medium to boot from
> >
> > 2) the operating system boot from the selected medium
> >
> > So when it comes to the Single user password, itis already at stage 2)
> > it has passed the stage 1 (booting from hard disk ofr CD) without
> > password.
> >
> > Olivier
> >
> 
> So, it means, that I should take the following steps
> 
> 1. Password on BIOS
> 2. Change the order of booting i.e. When system is installed and working
> once, then I just the change the Booting FIRST from HardDisk.
> 3. Put the password on Single User mode.
> 
> So, what more? Do you people think that I have got somehow security barrier
> for unauthorized access?

Physically _LOCK_ the server up.  Anyone who can get physical access to the
unit can remove the drive and access it from another machine, bypassing all
this stuff.

Another option is to encrypt the hard drives, but this will require you (or
someone else) to enter the password for the encrypted drives every time the
system boots up, so it's generally a maintenance nightmare.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password Security

[VeeJay]

On 11/23/06, Olivier Nicole <[EMAIL PROTECTED]> wrote:


> And how can one into the System by booting from a CD if it still
> requires the Password even in Single User mode?

Booting from CD, floppy or hard disk is slected at BIOS level.

Booting in single or multi user mode is at Operating system level.

Booting is in the following order:

1) BIOS select what medium to boot from

2) the operating system boot from the selected medium

So when it comes to the Single user password, itis already at stage 2)
it has passed the stage 1 (booting from hard disk ofr CD) without
password.

Olivier



So, it means, that I should take the following steps

1. Password on BIOS
2. Change the order of booting i.e. When system is installed and working
once, then I just the change the Booting FIRST from HardDisk.
3. Put the password on Single User mode.

So, what more? Do you people think that I have got somehow security barrier
for unauthorized access?



--
Thanks!

BR / vj
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password Security

[Olivier Nicole]

> And how can one into the System by booting from a CD if it still
> requires the Password even in Single User mode?

Booting from CD, floppy or hard disk is slected at BIOS level.

Booting in single or multi user mode is at Operating system level.

Booting is in the following order:

1) BIOS select what medium to boot from

2) the operating system boot from the selected medium

So when it comes to the Single user password, itis already at stage 2)
it has passed the stage 1 (booting from hard disk ofr CD) without
password.

Olivier
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password Security

[VeeJay]

So, does it mean that Windows 2003 Server provides more Password Level
Security with Unauthorized Access?

And how can one into the System by booting from a CD if it still requires
the Password even in Single User mode?



On 11/22/06, Jerry McAllister <[EMAIL PROTECTED]> wrote:


On Wed, Nov 22, 2006 at 04:41:37AM +0100, VeeJay wrote:

> Hi
>
> I need to secure my data and server. Any advice will be highly
appreciated.
>
> I am going to place my FreeBSD server at a shared place?
>
> I am just afraid that any unauthorized person might boot machine in
single
> user mode and steal the data?
> How can I make my Server secure that if if boots in single user mode, it
> still demands the password and without password one cannot do anything?
> or make it possible that booting in Single user mode, doesn't provide
any
> shell?

Lock it in a box.   Anyone who can put their hands physically can
get in to the machine with a little tinkering even if you disable
lots of software.

I think you can get rid of the single user option in the boot,
but anyone with a CD can defeat that if they want to.  It would
make things harder for yourself in managing the system, but it
would slow a person down from casual interference.

Also, many machines have BIOS level boot passwords that can be turned
on.  Using that would slow a person down, but be annoying for youself,
especially in times such as power failures - the system would not come
back up automatically without someone entering the BIOS password.

Plus, if a person is determined enough, they can defeat that as well
by removing the battery backup for the MB or the flash memory.   But,
it would stop casual tinkering.

jerry

>
> Thanks in advance
>
> --
>
> BR / vj
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
[EMAIL PROTECTED]"





--
Thanks!

BR / vj
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password Security

On 11/22/06, VeeJay <[EMAIL PROTECTED]> wrote:

Thanks Jeff...

But does this encryption affects on Disk Speed or Performance for Data
Access/Read/Write?


On 11/22/06, Jeff Hinrichs - DM&T <[EMAIL PROTECTED]> wrote:
> Although I haven't used either, gbde and geli are possible methods.
>
>
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html
>

As I stated before, I haven't used either so I am in no way an
authoritative source, but in general anytime you do additional
processing in the data channel, some penalty is going to be incurred.
I am sure there are things that can be done to mitigate this penalty
to a degree (i.e. offloading encryption operations to an add-in card)
but only you can be the judge if the trade off is a good one.

-Jeff
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password Security

[Jerry McAllister]

On Wed, Nov 22, 2006 at 04:41:37AM +0100, VeeJay wrote:

> Hi
> 
> I need to secure my data and server. Any advice will be highly appreciated.
> 
> I am going to place my FreeBSD server at a shared place?
> 
> I am just afraid that any unauthorized person might boot machine in single
> user mode and steal the data?
> How can I make my Server secure that if if boots in single user mode, it
> still demands the password and without password one cannot do anything?
> or make it possible that booting in Single user mode, doesn't provide any
> shell?

Lock it in a box.   Anyone who can put their hands physically can
get in to the machine with a little tinkering even if you disable
lots of software.

I think you can get rid of the single user option in the boot,
but anyone with a CD can defeat that if they want to.  It would
make things harder for yourself in managing the system, but it
would slow a person down from casual interference.

Also, many machines have BIOS level boot passwords that can be turned 
on.  Using that would slow a person down, but be annoying for youself,
especially in times such as power failures - the system would not come
back up automatically without someone entering the BIOS password.

Plus, if a person is determined enough, they can defeat that as well
by removing the battery backup for the MB or the flash memory.   But, 
it would stop casual tinkering.   

jerry

> 
> Thanks in advance
> 
> --
> 
> BR / vj
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password Security

[Andy Greenwood]

I've used geli to encrypt my swap partition following the instructions
in the handbook and it went quite well. If you really need to secure
the data on the machine, mark the terminal as insecure and encrypt all
the disks, including swap.

Keep in mind though, that no system is completely secure. It may be
secure enough, but there is *always* a way in for the determined
individual.

On 11/22/06, Jeff Hinrichs - DM&T <[EMAIL PROTECTED]> wrote:

Although I haven't used either, gbde and geli are possible methods.

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"




--
I'm nerdy in the extreme and whiter than sour cream
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password Security

Although I haven't used either, gbde and geli are possible methods.

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password Security

On 11/21/06, Russell E. Meek <[EMAIL PROTECTED]> wrote:

Quoting VeeJay <[EMAIL PROTECTED]>:

> Hi
>
> I need to secure my data and server. Any advice will be highly appreciated.
>
> I am going to place my FreeBSD server at a shared place?
>
> I am just afraid that any unauthorized person might boot machine in single
> user mode and steal the data?
> How can I make my Server secure that if if boots in single user mode, it
> still demands the password and without password one cannot do anything?
> or make it possible that booting in Single user mode, doesn't provide any
> shell?
>
> Thanks in advance
>
> --
>
> BR / vj
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"

BR,

Edit /etc/ttys and look for the following line:

# If console is marked "insecure", then init will ask for the root password
# when going to single-user mode.
console noneunknown off secure

Change "secure" to "insecure" (no quotes) this will require the root
password to be entered when booting into Single User Mode.


Thanks,

Russ



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


If the box isn't physically secured then this is just blowin in the
wind.  Short of fully encrypted disks that require a token/password at
boot, there isn't any security in this kind of environment.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password Security

[Russell E. Meek]

Quoting VeeJay <[EMAIL PROTECTED]>:


Hi

I need to secure my data and server. Any advice will be highly appreciated.

I am going to place my FreeBSD server at a shared place?

I am just afraid that any unauthorized person might boot machine in single
user mode and steal the data?
How can I make my Server secure that if if boots in single user mode, it
still demands the password and without password one cannot do anything?
or make it possible that booting in Single user mode, doesn't provide any
shell?

Thanks in advance

--

BR / vj
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


BR,

Edit /etc/ttys and look for the following line:

# If console is marked "insecure", then init will ask for the root password
# when going to single-user mode.
console noneunknown off secure

Change "secure" to "insecure" (no quotes) this will require the root  
password to be entered when booting into Single User Mode.



Thanks,

Russ



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password Security

[Russell E. Meek]

Quoting VeeJay <[EMAIL PROTECTED]>:


Hi

I need to secure my data and server. Any advice will be highly appreciated.

I am going to place my FreeBSD server at a shared place?

I am just afraid that any unauthorized person might boot machine in single
user mode and steal the data?
How can I make my Server secure that if if boots in single user mode, it
still demands the password and without password one cannot do anything?
or make it possible that booting in Single user mode, doesn't provide any
shell?

Thanks in advance

--

BR / vj
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


BR,

Edit /etc/ttys and look for this:

# If console is marked "insecure", then init will ask for the root  
password when going to single-user mode.

console noneunknown off secure

Change




___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password Security

[Olivier Nicole]

> I am going to place my FreeBSD server at a shared place?
> 
> I am just afraid that any unauthorized person might boot machine in single
> user mode and steal the data?

If the data are so sensible, do notplace the machine in a shared
location.

One could reboot in single mode, or just stop the machine and remove
the hard disk to analyze it at his own pace.

Single user password tends to give a false sense of security, if one
has physical access to the machine, consider he has open access to the
data stored on the machine.

best regards,

olivier
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: password change in memberships reminder

[Ceri Davies]

On 1/3/06 06:06, "Ashok Shrestha" <[EMAIL PROTECTED]> wrote:

> I just received my monthly "freebsd.org mailing list memberships
> reminder." But some of my passwords were changed. Is that normal?
> 
> I can't check my previous ones because I already deleted them.

Is it possible that you never set a password?  If so, one will have been
randomly generated for you, which may explain why you don't recognise it.

Ceri
-- 
That must be wonderful!  I don't understand it at all.
  -- Moliere



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: password change in memberships reminder

[Micah]

Ashok Shrestha wrote:

I just received my monthly "freebsd.org mailing list memberships
reminder." But some of my passwords were changed. Is that normal?

I can't check my previous ones because I already deleted them.

--
Ashok Shrestha


I would say no, that's not normal.  I'm paranoid, so I would just assume 
that the accounts were hacked and treat the situation accordingly. 
Contact the lists administrator in case it was a bug in the system...


HTH,
Micah
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password

[Jerry McAllister]

> 
> Hi there,
> 
> i am new to freebsd, and now working as an
> administrator of my college system, which using
> freebsd. my question is, if i have 50 users in the
> systems, how can i view all their usernames and
> passwords? this because i always have problems of them
> forgot thier passwords, and they can't log in to the
> systems. until now, what i did was, delete their
> usernames, and create new ones because i didn't know
> what their passwords either. so any other alternative?

Passwords are encripted and not stored in the clear by the system.
Do not do anything to change that.

The root user is able to arbitrarily change any user's password, 
so if some user forgets, then just set their password to something,
tell them and have them, then change it when they first log in
with it. 

jerry

> 
> help me. Thanks.
> 
> 
>   
> __ 
> Yahoo! Mail - PC Magazine Editors' Choice 2005 
> http://mail.yahoo.com
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
> 
> 

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password

[albi]

On Tue, 4 Oct 2005 18:36:28 -0700 (PDT)
sulie halim <[EMAIL PROTECTED]> wrote:

> i am new to freebsd, and now working as an
> administrator of my college system, which using
> freebsd. my question is, if i have 50 users in the
> systems, how can i view all their usernames and
> passwords? 

you can't (unless they use really weak passwords and you want to spend
time running password-crackers like "john")

> this because i always have problems of them
> forgot thier passwords, and they can't log in to the
> systems. until now, what i did was, delete their
> usernames, and create new ones because i didn't know
> what their passwords either. so any other alternative?

no need to delete accounts

1) login as root
2) type : passwd username

you can also set up usermin and provide them with the "change password"
option in usermin after you've "reset" their password to a temporary new
one

-- 
grtjs, albi
gpg-key: lynx -dump http://scii.nl/~albi/gpg.asc | gpg --import
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password

[pete wright]

On 10/4/05, sulie halim <[EMAIL PROTECTED]> wrote:
>
> Hi there,
>
> i am new to freebsd, and now working as an
> administrator of my college system, which using
> freebsd. my question is, if i have 50 users in the
> systems, how can i view all their usernames and
> passwords? this because i always have problems of them
> forgot thier passwords, and they can't log in to the
> systems. until now, what i did was, delete their
> usernames, and create new ones because i didn't know
> what their passwords either. so any other alternative?
>
> help me. Thanks.


http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html

specifically:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/users.html

-pete




--
~~o0OO0o~~
Pete Wright
www.nycbug.org 
NYC's *BSD User Group
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Password

[Nicolas Blais]

On October 4, 2005 09:36 pm, sulie halim wrote:
> Hi there,
>
> i am new to freebsd, and now working as an
> administrator of my college system, which using
> freebsd. my question is, if i have 50 users in the
> systems, how can i view all their usernames and
> passwords? this because i always have problems of them
> forgot thier passwords, and they can't log in to the
> systems. until now, what i did was, delete their
> usernames, and create new ones because i didn't know
> what their passwords either. so any other alternative?
>
> help me. Thanks.
>

You can't view their passwords unless you (or they) saved them in a database 
(which you (they) should really NOT). 

To change a user's passwod without making a new account, use the 'passwd' 
command as root:

[nicblais] ~> su
Password:
[root] /home/nicblais# passwd freakuser
Changing local password for freakuser
New Password:
Retype New Password:

Nicolas.

-- 
FreeBSD 7.0-CURRENT #0: Sat Oct  1 11:51:38 EDT 2005 
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/CLK01A 
PGP? : http://www.clkroot.net/security/nb_root.asc


pgpG8D3iPuFlv.pgp
Description: PGP signature

Re: Password

[Tom Norris]

sulie halim wrote:

systems, how can i view all their usernames and
passwords? 



You can't.  FreeBSD uses a one way hash to encode the passwords.  If you 
 are the administrator you can change the password though:


#passwd user-that-forgot-their-password
New password: anything like that>

New password again: 

-- Tom
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: password expire

[Tobias Fendin]

Gayn Winters wrote:



-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
Tobias Fendin

Sent: Thursday, July 21, 2005 11:31 AM
To: Joe Stuart
Cc: freebsd-questions@freebsd.org
Subject: Re: password expire


Joe Stuart wrote:

I have a whole group of users with weak passwords. Is there 


a way that I can force a password change at next login?  



"pw usermod [name|uid] -p date" should do the trick.
Check the pw(8) man-page for more details.

   -Tobias



OK, but if a "whole group" is many many users, how can one pipe-in the
list of users?  I have a similar problem updating one of my user groups,
and typing in a pw for each user is a little painful.  Maybe one of the
shell wizards out there can give us a lesson.  TIA,

-gayn




well, this might not be nice, but hey, it's a hack :)

for USER in `pw groupshow  |awk -F ":" '{print $4}'| sed 
's/,/ /1'`

do
pw usermod $USER -p 
done

 -Tobias


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"