Notices


Reply
Thread Tools
Posts: 7 | Thanked: 0 times | Joined on Dec 2009
#1
Hello there,

It'd been a long time since I used a linux box, but I wondered how much secured is the root account, and all the device in general.

I've read that to gain root access, you use a little package. Does this mean that the account is not password protected?
Same question for the user "user" which we are logged as?

Once the ssh is installed, if the root/user account is unsecured, everyone may access our device, right?
 
Posts: 287 | Thanked: 127 times | Joined on Oct 2009 @ Sweden
#2
From what I've seen on here, one is asked for a password when installing openssh (which enables logging in as root, default is having rpoot login disabled).
 
Posts: 7 | Thanked: 0 times | Joined on Dec 2009
#3
What if:
"ssh user" into the device
then "sudo gainroot"

Will the distant dude gain root access?
 
Bundyo's Avatar
Posts: 4,501 | Thanked: 3,855 times | Joined on Oct 2007 @ Bulgaria
#4
The user doesn't have a password AFAIR until you explicitly set one. Until then you can't login as the user.
__________________
Technically, there are three determinate states the cat could be in: Alive, Dead, and Bloody Furious.
 

The Following User Says Thank You to Bundyo For This Useful Post:
Posts: 540 | Thanked: 288 times | Joined on Sep 2009
#5
Originally Posted by pasquiel View Post
What if:
"ssh user" into the device
then "sudo gainroot"

Will the distant dude gain root access?
Yes, though I think that to be able to SSH in as user you need to set the user passwod via root shell (or use public key, same difference anyway) and thus your security as the same as with password enabled root account.

(open|dropbear)ssh server isn't "official nokia package" anyway so you're supposed to know what you're doing.
 
Posts: 4,556 | Thanked: 1,622 times | Joined on Dec 2007
#6
If you try to ssh into user after installing openssh it'll ask you for a password. No matter what you enter, you won't be able to enter. Not even if you leave it blank.

As the above users have pointed out its because user has no password (now you would think if that's the case then it's just blank, no password right?). But nope, you can't log into user with any method if there's no password set for user.

You first have to get root access on the tablet and then set a password for user to be able to login as user (not sure about what if you try root since I always turn off root login).

And yes, if they ssh user into the device and do sudo gainroot they will have root access. Though if you setup openssh properly (strong password, change port #, and maybe even do some pub/private keys) you won't see what happened to jailbroken iPhones on the Nokia tablets.
__________________
Originally Posted by ysss View Post
They're maemo and MeeGo...

"Meamo!" sounds like what Zorro would say to catherine zeta jones... after she slaps him for looking at her dirtily...
 
Posts: 3,428 | Thanked: 2,855 times | Joined on Jul 2008
#7
With any Linux SSH if you are worried about security, I recommend disallowing root to login directly to the device. I don't have the N900 as I can't afford it, but I believe it uses openssh which would normally put the conf file in /etc/ssh/sshd_config. Set PermitRootLogin no in that file.

Since giving the default "user" account a password could mess up the phone's normal operation you would add a separate user, can call it ssh_user or something, to the device. Would also recommend using security keys if you're really that concerned and disable password ssh altogether. Add the ssh_user to your sudoers file or allow him to use "su" to get up to root.

After all, the N900 just runs Linux... and Linux is one of the most secure operating systems out there.. the security is there, you just might need to enable it and be careful not to impact the phone itself.
 
Posts: 7 | Thanked: 0 times | Joined on Dec 2009
#8
Thanks, yeah I thought "no password" meant "blank password", and I was wrong.
I think it is time I read a few howtos on linux and remember things ^_^
 
Posts: 17 | Thanked: 10 times | Joined on Dec 2009 @ New York, NY, USA
#9
Originally Posted by fatalsaint View Post
[G]iving the default "user" account a password could mess up the phone's normal operation....
Can you give a basis for that statement? I've been running user with a password (for openssh access via publickey; if no user password, key authentication fails automatically) for a couple of days now, and haven't noticed any issues.
 
Posts: 3,428 | Thanked: 2,855 times | Joined on Jul 2008
#10
Originally Posted by cowb0y View Post
Can you give a basis for that statement? I've been running user with a password (for openssh access via publickey; if no user password, key authentication fails automatically) for a couple of days now, and haven't noticed any issues.
As I've said before I don't have the N900.. I said it could.. I didn't want to offer advice to do something that I personally hadn't tested without a form of disclaimer.

If you're running the default user with a pass with no issues then great... people can instead use the user account and just give it a password. I was offering a solution that I was relatively certain wouldn't affect anything,
 

The Following User Says Thank You to fatalsaint For This Useful Post:
Reply

Thread Tools

 
Forum Jump


All times are GMT. The time now is 03:00.