Author Topic: linux password  (Read 906 times)

punk

  • Newbie
  • *
  • Posts: 10
    • View Profile
linux password
« on: May 07, 2014, 05:23:40 pm »
How important is to have strong password on linux os ?
Let's say on host, on whonix gateway, or workstation ?
For example on whonix gateway. For offline attacker the password doesn't matters, she can remove it easy.
But it seems like the same is for online attacker on whonix gateway or any linux (without ssh server etc). Because whonix gateway don't have ssh server or any other service where users can connect from internet. It seems that it's no difference between passwords 12345 and pa$$w0rd ?

Patrick

  • a maintainer of Whonix
  • Administrator
  • *****
  • Posts: 3396
  • (adrelanos)
    • View Profile
    • Patrick Schleizer – Profile Page
Re: linux password
« Reply #1 on: May 07, 2014, 08:26:31 pm »
Privilege escalation. A compromised user account "server" can in theory not compromise root or user "user". My personal opinion:
https://www.whonix.org/wiki/Dev/Permissions

However, making using no password at all and making all root commands possible without password would probably do not project no good.

PS:
pa$$w0rd could be found in a password list.
Question should be rather "12345" vs "5edc3efdac3eeebd3e1508be9e3c9f84af638b4aeb773de1b85f58d0a77c2580e347d5456dda4a9c1670f674ea6e5116f4b0bab2efd67669a0da85947f339c8a".
HOT: How to Ask Smart Questions | How to Report Bugs Effectively
Impressum | Datenschutzerklärung | Haftungsausschluss
If Whonix (g+) is useful to you, please consider a reoccurring donation so I (e-mail) (gpg) (g+) can work full time on Whonix.
Need more attention? Get Professional Support!

punk

  • Newbie
  • *
  • Posts: 10
    • View Profile
Re: linux password
« Reply #2 on: May 08, 2014, 10:10:35 am »
Privilege escalation. A compromised user account "server" can in theory not compromise root or user "user".
Can you tell how i can be compromised ? I'm thinking because i'm not running ssh, ftp servers i'm safe. Attacker can't run brutforce on my ports since i dont have ssh,ftp running

Patrick

  • a maintainer of Whonix
  • Administrator
  • *****
  • Posts: 3396
  • (adrelanos)
    • View Profile
    • Patrick Schleizer – Profile Page
Re: linux password
« Reply #3 on: May 08, 2014, 02:10:41 pm »
When x (a browser) runs as user y (user "user) and the browser gets exploited, then the user y is compromised. In theory, the password contains the compromise within the user. Other users and root would stay uncompromisable as long as the attacker does not have another exploit for privilege escalation.
HOT: How to Ask Smart Questions | How to Report Bugs Effectively
Impressum | Datenschutzerklärung | Haftungsausschluss
If Whonix (g+) is useful to you, please consider a reoccurring donation so I (e-mail) (gpg) (g+) can work full time on Whonix.
Need more attention? Get Professional Support!

punk

  • Newbie
  • *
  • Posts: 10
    • View Profile
Re: linux password
« Reply #4 on: May 08, 2014, 04:07:27 pm »
ok, it makes sense. Can i be compromised by ntp or cups services ? since they are running on my system...

Patrick

  • a maintainer of Whonix
  • Administrator
  • *****
  • Posts: 3396
  • (adrelanos)
    • View Profile
    • Patrick Schleizer – Profile Page
Re: linux password
« Reply #5 on: May 08, 2014, 04:34:49 pm »
Cups:
(server) depends whether it is accessible form the internet or not. Use a firewall to block incoming connections and/or configure services to listen on localhost only. [Covering most important here... + ...]

NTP:
Define compromise. (Don't) There are two points here.
1. an adversary could feed you malicious time information, which is bad for various reasons (moving clock back makes your system accept outdated invalid keys)
2. ntp could get exploited while fetching the time as a browser can be exploited while fetching a website by sending special prepared data which will trigger a vulnerability. Comparison of browser / ntp is probably not fair. I don't know how likely that is. In an ideal world however, the time syncing application would run inside a strongly isolated (Qubes OS style) virtual machine.

HOT: How to Ask Smart Questions | How to Report Bugs Effectively
Impressum | Datenschutzerklärung | Haftungsausschluss
If Whonix (g+) is useful to you, please consider a reoccurring donation so I (e-mail) (gpg) (g+) can work full time on Whonix.
Need more attention? Get Professional Support!

punk

  • Newbie
  • *
  • Posts: 10
    • View Profile
Re: linux password
« Reply #6 on: May 08, 2014, 07:11:38 pm »
So for better security you would recommend to disable NTP on my host os ?

Patrick

  • a maintainer of Whonix
  • Administrator
  • *****
  • Posts: 3396
  • (adrelanos)
    • View Profile
    • Patrick Schleizer – Profile Page
Re: linux password
« Reply #7 on: May 08, 2014, 10:27:07 pm »
So for better security you would recommend to disable NTP on my host os ?
Difficult question. One I've been continuously working on. With no next to perfect solution in sight. Depends on your priorities. Leaving it enabled has advantages (not fingerprintable, you're not the one who uses something other than NTP), disabling it has different advantages (no MITM can tamper with clock), but you must manually sync your clock. Endless topic. Learn more:
- https://www.whonix.org/wiki/Advanced_Security_Guide#Network_Time_Synchronization
- https://www.whonix.org/wiki/Dev/TimeSync
HOT: How to Ask Smart Questions | How to Report Bugs Effectively
Impressum | Datenschutzerklärung | Haftungsausschluss
If Whonix (g+) is useful to you, please consider a reoccurring donation so I (e-mail) (gpg) (g+) can work full time on Whonix.
Need more attention? Get Professional Support!

punk

  • Newbie
  • *
  • Posts: 10
    • View Profile
Re: linux password
« Reply #8 on: May 10, 2014, 10:34:32 am »
Thanks. I try to find best option for me.

Quote
pa$$w0rd could be found in a password list.
Question should be rather "12345" vs "5edc3efdac3eeebd3e1508be9e3c9f84af638b4aeb773de1b85f58d0a77c2580e347d5456dda4a9c1670f674ea6e5116f4b0bab2efd67669a0da85947f339c8a"

I know that strong password must be 25+ characters, include numbers and symbols. But that long password which you type above is very complicated to type by hand. There probably be many mistakes, or fat fingers when you try to type it. Is there any way to copy-paste this to virtualbox, without guest additions installed ? Or you also typing password like these by hand ?

Patrick

  • a maintainer of Whonix
  • Administrator
  • *****
  • Posts: 3396
  • (adrelanos)
    • View Profile
    • Patrick Schleizer – Profile Page
Re: linux password
« Reply #9 on: May 10, 2014, 04:10:18 pm »
No and no. Sorry for the confusion. I exaggerated on the long password. Just wanted to mention, that common words like pa$$w0rd  (replace s with $) are common practices and can be found in password dictionaries. It should appear truly random, so the only remaining attack is a brute force attack.
HOT: How to Ask Smart Questions | How to Report Bugs Effectively
Impressum | Datenschutzerklärung | Haftungsausschluss
If Whonix (g+) is useful to you, please consider a reoccurring donation so I (e-mail) (gpg) (g+) can work full time on Whonix.
Need more attention? Get Professional Support!

 

Legal

Impressum Datenschutz Haftungsausschluss Contact

Links

Homepage Blog Issues Github

Misc

Contribute Donate Investors Free Support Professional Support