# [security] lost root password.

## rosskevin

So I've done the unthinkable  :Shocked:  .  Actually, my (production) gentoo box has been up so long and setup properly so I log in with my username, that I've just plain forgotten the root password.

Is it true that if I have physical access, that I can reset the password?  Could someone point me to a doc or outline the procedure?

Thanks

----------

## compu-tom

boot from a rescue system, mount the hd, then edit /mnt/gentoo/etc/shadow and delete the password hash between the colons.

Then, reboot and login with the empty password. Assign a new password.

That's it  :Wink: 

----------

## darktux

If you get physical access to the box, then boot with Gentoo's LiveCD, mount the partitions, do the chroot thing, and then do passwd and set a new password.

There ya go   :Wink: 

----------

## neilhwatson

If you boot to single user mode you become root without needing the password.  Then use passwd to reset.

----------

## dermot

And remember: sudo is your friend.

----------

## Vancouverite

Here is the procedure to reset roots password.

1) Append: init=/bin/bash to your kernel options by editing your bootloader entry and boot it. This will give you a root shell.

2) Remount / read/write with: mount -o remount,rw /

3) Set roots password with: passwd

----------

## puggy

Fuck me. I think i'll be installing a grub password to stop that being able to happen.

Puggy

----------

## bsolar

 *puggy wrote:*   

> Fuck me. I think i'll be installing a grub password to stop that being able to happen.
> 
> Puggy

 

If you fear that, make sure to protect your BIOS and lock the case. And encrypt the FS...  :Rolling Eyes: 

----------

## compu-tom

Don't forget to assign a BIOS password and to disable CD or Floppy booting (remove them entirely). BTW: The safest way is put the computer away, out of reach for anybody  :Wink: 

----------

## bsolar

 *compu-tom wrote:*   

> Don't forget to assign a BIOS password and to disable CD or Floppy booting (remove them entirely). BTW: The safest way is put the computer away, out of reach for anybody 

 

Yeah, that was exaclty my point...  :Wink: 

----------

## metacove

If it's 2.4.19 and below and you have a shell account you can use a ptrace exploit  :Very Happy: 

----------

## puggy

Would encrypting the file system slow things down a lot due to encryption/de-cryption having to occur all the time?

Puggy

----------

## Vancouverite

 *puggy wrote:*   

> Would encrypting the file system slow things down a lot due to encryption/de-cryption having to occur all the time?

 

Apparently not too much... the thread about this is here.

If you're really paranoid about security you should solder you keyboard connector onto your mother board to prevent a key catcher.   :Smile: 

Encrypting your grub password with md5crypt at the grub shell is probably sufficient.

----------

## puggy

hmm. I seems the only way to be secure is put you computer in a big steel box to which only you have the key.  :Very Happy: 

Cheers on the crypto thing. Ever since reading the cryptonomicon I've wanted to encrypt something for a reason.  :Smile: 

Puggy

----------

## easykill

 *puggy wrote:*   

> Would encrypting the file system slow things down a lot due to encryption/de-cryption having to occur all the time?
> 
> Puggy

 

I have all my filesystems, and the swap encrypted.  I notice very little slowdown...It is not going to matter much.  That's the easiest way to describe it.

I also use grub password/BIOS password and have a physical lock on my case, heh.  I don't really have a good reason to do this, but I do anyways.

----------

## Orange

 *compu-tom wrote:*   

> Don't forget to assign a BIOS password and to disable CD or Floppy booting (remove them entirely). BTW: The safest way is put the computer away, out of reach for anybody 

 

Or if you wanted to be really fancy you could put an electric shock on your computer when someone besides yourself atempts to use your computer they'll get a nice little shock...  Of course I might be over stepping the bounds   :Twisted Evil: 

----------

## Jeld

Being in the computer security business for a while, I can only say this. Rule #1 Client-side security doesn't work.

In this case, it means that if a person with malicious intent gets phisical access to the computer there is nothing you can do to stop him/her from accessing your data. The only thing you can do is make them sweat a lot while doing it. 

To this there is a side note. You can make system secure emnough to be not worth breaking. For example, if you encrypt your file system using strong crypto, make a 4096 bit key to unlock it, store it on a keychain USB device and carry it with you at all times, a person who got access to your system will still be able to get to your data, but if the data consists of your collection of mp3s then the effort required to get to it will be much more then the data is worth, since it will involve either using supercomputers and teams of cryptographers or taking the USB device from your dead body  :Twisted Evil: 

On the other side ( of the side note  :Razz:  ) the more security measures you take to protect a system the more difficult your system becomes for regular use. One of the effects of tightening the computer security is that at some point of tightening it the security starts to actually weaken because of the human factor. For example, for security purposes, one can install kerberos, disable permanent passwords and issue a one-time password every time one logs in to the system, since password changes every login, the password security becomes very high until somebody starts writing his one time passwords on sticky notes since he/she cannot memorize a new password every day.

So, the moral of this narrative is, whatever you do you lose    :Laughing: 

----------

## rosskevin

 *Quote:*   

> If you get physical access to the box, then boot with Gentoo's LiveCD, mount the partitions, do the chroot thing, and then do passwd and set a new password. 

 

Ok, did the chroot on the box, changed the password.  Here's the catch:  I can su when on the box, but not when accessing the box via ssh?  I think I forgot to umount, whatever I did, I screwed it up.

Any ideas?

----------

## karl420

You could su in ssh before?

----------

## Deathwing00

I have a more hacker idea (also totally inefficient!!!). Use john (johntheripper)... nice to go back to those nice times.   :Crying or Very sad: 

----------

## rosskevin

yes, I could su from ssh before.

----------

## karl420

LOL, yeah jacktheripper and a big-a*s wordfile that took you 48 hours over a 14.4 modem to download!

Ah, the good old days.

Karl

----------

## karl420

Whoa, no kidding, you are from Franklin! WOW!  :Smile: 

I live in Nashville, but I work in Franklin at Franklin Dishworks and Computer, as a computer technician, and sysadmin of a few unix boxen. If you ever want to come down and check the place out, give me an email! karl@stonedpenguin.com

Karl

----------

