dropbear and shadow

sindi keesan keesan at sdf.lonestar.org
Fri Apr 4 11:14:53 WST 2008


On Thu, 3 Apr 2008, Rob Landley wrote:

> On Thursday 03 April 2008 16:13:43 sindi keesan wrote:
>> I don't know where shadow came from or why it appears not to work.

It came from the original setup, where root and user had blank passwords.
Apparently the busybox passwd changed the passwords in passwd but not in
shadow, and dropbear looked at shadow but not at passwd to decide that my
passwords were blank.  When I boot and log in passwd seems to be
consulted, not shadow.  Maybe someone would like to patch dropbear to look
at BOTH files (passwd as well as shadow) before deciding there are blank
passwords?

I found dropbear at the uclibc site, which I was at because I was
compiling busybox, so if it is the busybox passwd (or adduser) that is
leaving shadow unchanged while changing passwd, someone else might end up
with the same problem as I have.

I am using Basiclinux, which is popular enough to be in Ultimate Boot CD.
Version 3 (slackware 4.0 based) comes with no shadow (you don't need to
even type root to log in and the adduser package adds passwords to
passwd).  The earlier version 2 comes with shadow and we are encouraged to
use it if we have newer hardware (circa 1998 or later) because it has
glibc X.

> http://tldp.org/HOWTO/Shadow-Password-HOWTO.html
Good idea.  It suggests using ssh server not telnet or ftp.

> And you stopped cc'ing the list again...
Oops.

>
>> I think I ran the busybox passwd (or adduser?) to assign passwords.
>>
>> In another version of this distro, I used a package provided by the distro
>> to create a user and assign passwords to user and root, and there is no
>> 'shadow' file there, and dropbear works 'out of the box' (once I make the
>> rsa key).

> You used two different passwd programs, one of which supported shadow
> passwords and one that didn't.  You wound up with /etc in a fairly insane
> state.

The shadow file was there before I added passwords.  I used one program
per distro.  Manually removing shadow fixed my problem.

My setup worked until now.  (I am often surprised when things work).
I had a very long discussion with TAG about reasons to add passwords and
run as user, so I went to a lot of trouble to change file permissions
(more to learn) and can now run as user.

>> This distro is not intended to be highly secure.  It is for older hardware
>> and to learn on.
>
> It doesn't have to be secure it just has to be consistent.

I will mention to others on the list that they need to remove shadow if
they add passwords to BL 2.

>>> an /etc/shadow file and then define the passwords in /etc/passwd?  That's
>>> kind of backwards...  The point of /etc/shadow is to store passwords
>>> somewhere that _isn't_ world readable.  That's the entire reason the file
>>> exists, to take passwords out of /etc/passwd and put them in to a file
>>> normal users can't read, because modern laptops can break most hashed 6-8
>>> char password in a few hours if they have the hash to test against...)
>>
>> How much damage could someone do to my 'user' account over a dialup line?
>> I am not running any other daemons that someone could use to log in.
>> How could they access 'passwd' if they have not logged in even as user?
>
> Linux security is a whole big issue of its own, worth of at least a semester
> long undergraduate course.

Probably with some prerequisites.  This is my first and only linux.

> Here's a starting point:
> http://tldp.org/HOWTO/Security-Quickstart-HOWTO/index.html

That is a long quickstart and should keep me from pestering forums for
quite a while.  Thanks.  The TAG people explained to me how to use nmap
and netstat and chkrootkit (nothing has ever broken into my system, though
busybox looked like a virus).  I have used ipchains without understanding
a thing but thought it would be simpler to just ssh between computers to
share the modem connection (especially when one is not linux).

> Rob
> --
> "One of my most productive days was throwing away 1000 lines of code."
>  - Ken Thompson.
>

keesan at sdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org



More information about the Dropbear mailing list