Improve Porteus security

Talk here about security in general. Posting illegals software is prohibited. All stuffs in this forum must be considered as for "Educational purpose only".
Michele13
Black ninja
Black ninja
Posts: 56
Joined: 18 Aug 2013, 10:23
Distribution: Based on Debian and Slackware
Location: Italy

Improve Porteus security

Post#1 by Michele13 » 19 Jan 2015, 22:22

Is there any way to improve porteus security? Eg. Disabling autologin cheatcode, changing default root and guest password (how does porteus wizard achieve that?) In this Post Brokenman mentions his tutorial, where can I find it?
viewtopic.php?f=113&t=2358&p=25650&hili ... ial#p25650

beny
Full of knowledge
Full of knowledge
Posts: 723
Joined: 02 Jan 2011, 11:33
Location: italy

Re: Improve Porteus security

Post#2 by beny » 19 Jan 2015, 22:56

hi, the autologin it is possible only in init4 mode and if i remember well,and you boot system as guest,the init 3 or txt mode if you want login manually, the password root or guest you can change via porteus setting centre

Michele13
Black ninja
Black ninja
Posts: 56
Joined: 18 Aug 2013, 10:23
Distribution: Based on Debian and Slackware
Location: Italy

Re: Improve Porteus security

Post#3 by Michele13 » 20 Jan 2015, 12:24

Yes, but they will not be saved if changes are not enabled. If I know how porteus works I can easily boot up without a password and do what I want...

beny
Full of knowledge
Full of knowledge
Posts: 723
Joined: 02 Jan 2011, 11:33
Location: italy

Re: Improve Porteus security

Post#4 by beny » 20 Jan 2015, 12:33

if you want you can unsquashfs the core.xzm put your changes into the directories and repack the core,the save changes folder is useful but if you want something as you wish,you can hard code your changes into core.xzm module,so no one can start the system,if you don't want.
or if you have a clean porteus system make your changes and start the save changes script,this script allow you to do a xzm module of the last 3 minutes changes so your password and other security changes are packed in.

Michele13
Black ninja
Black ninja
Posts: 56
Joined: 18 Aug 2013, 10:23
Distribution: Based on Debian and Slackware
Location: Italy

Re: Improve Porteus security

Post#5 by Michele13 » 20 Jan 2015, 15:40

Ok, now how can I remove the autologin cheat?

beny
Full of knowledge
Full of knowledge
Posts: 723
Joined: 02 Jan 2011, 11:33
Location: italy

Re: Improve Porteus security

Post#6 by beny » 20 Jan 2015, 17:05

hi if you put # the autologin entry is not visible to the boot windows so you have to log in in text mode with password and user or root, the porteus.cfg is located in boot directory
#LABEL gui
#MENU LABEL Graphics mode (XFCE)
#KERNEL vmlinuz
#APPEND initrd=initrd.xz changes=/porteus
Run Porteus the best way we can.
Try to autoconfigure graphics
card and use the maximum
allowed resolution
ENDTEXT

Michele13
Black ninja
Black ninja
Posts: 56
Joined: 18 Aug 2013, 10:23
Distribution: Based on Debian and Slackware
Location: Italy

Re: Improve Porteus security

Post#7 by Michele13 » 22 Jan 2015, 17:41

Or better yet we can password protect the bootloader (syslinux, extlinux)

MENU PASSWD passwd

(Only valid after a LABEL statement, or a MENU BEGIN statement.)
Sets a password on this menu entry. "passwd" can be either a cleartext password or a password encrypted with one of the following algorithms:

MD5 (Signature: $1$)
SHA-1 (Signature: $4$)
SHA-2-256 (Signature: $5$)
SHA-2-512 (Signature: $6$)

Use the included Perl scripts "sha1pass" or "md5pass" to encrypt passwords. MD5 passwords are compatible with most Unix password file utilities; SHA-1 passwords are probably unique to Syslinux; SHA-2 passwords are compatible with very recent Linux distributions. Obviously, if you don't encrypt your passwords they will not be very secure at all.

If using passwords, make sure to use "NOESCAPE 1" and "PROMPT 0", and either set "ALLOWOPTIONS 0" or use a master password (see below).

If passwd is an empty string, this menu entry can only be unlocked with the master password.


MENU MASTER PASSWD passwd

Sets a master password. This password can be used to boot any menu entry, and is required for the [Tab] and [Esc] keys to work.

User avatar
francois
Contributor
Contributor
Posts: 4937
Joined: 28 Dec 2010, 14:25
Distribution: kde xfce porteus manjaro kubun
Location: Enfin l'été, le changement climatique attendu: le soleil.

Re: Improve Porteus security

Post#8 by francois » 22 Jan 2015, 21:27

Autologin has nothing to do with changes cheatcode. It has to do with login cheatcode:
http://www.porteus.org/tutorials/26-gen ... -them.html

Code: Select all

login=user_name
... Lets you specify the name of the user (could be also 'root')
which will be autologged into GUI session.
If username is not provided then booting stops on the lxdm/kdm
login screen.
Just add the login= cheatcode to your syslinux menu (leaving it empty). This way you should not get autologin and stop to the login script.

Keeping with the guest (porteus normal user account) has been reported by fanthom in other threads has the best practice instead creating other normal accounts. Just change the password for root and guest. To do this you will need to keep the changes cheatcode.
Voltaire: Le mieux est l'ennemi du bien.

Michele13
Black ninja
Black ninja
Posts: 56
Joined: 18 Aug 2013, 10:23
Distribution: Based on Debian and Slackware
Location: Italy

Re: Improve Porteus security

Post#9 by Michele13 » 27 Jan 2015, 22:28

I've tested the login cheat and oddly it does not work... it's better to edit the /etc/slim.conf file and disable autologin from there (does porteus use slim on any DE?)

tome
Contributor
Contributor
Posts: 562
Joined: 26 Jun 2013, 14:03
Distribution: x64 Openbox
Location: Poland
Contact:

Re: Improve Porteus security

Post#10 by tome » 28 Jan 2015, 08:13

/etc/lxdm/lxdm.conf

User avatar
fanthom
Site Admin
Site Admin
Posts: 4565
Joined: 28 Dec 2010, 02:42
Distribution: Porteus Kiosk
Location: Poland, currently - Cork, IE
Contact:

Re: Improve Porteus security

Post#11 by fanthom » 28 Jan 2015, 12:29

@Michele13
have you pulled latest updates through PSC?
i guess not ...
Please add [Solved] to your thread title if the solution was found.

beny
Full of knowledge
Full of knowledge
Posts: 723
Joined: 02 Jan 2011, 11:33
Location: italy

Re: Improve Porteus security

Post#12 by beny » 28 Jan 2015, 15:25

hi michele13 you can do as you wish in this way:
LABEL gui
MENU PASSWD beny
MENU LABEL Graphics mode (XFCE)
KERNEL vmlinuz
APPEND initrd=initrd.xz changes=/porteus guiexec=/usr/bin/tvhed.sh
Run Porteus the best way we can.
Try to autoconfigure graphics
card and use the maximum
allowed resolution
ENDTEXT

after the label you can insert your password, mine is clear as the example above, your can do encrypted ,the goal is when you choose the boot option before you use it the password is required so you have the security option always on ,you can use password for all the label option.

Michele13
Black ninja
Black ninja
Posts: 56
Joined: 18 Aug 2013, 10:23
Distribution: Based on Debian and Slackware
Location: Italy

Re: Improve Porteus security

Post#13 by Michele13 » 30 Jan 2015, 23:06

Does porteus have a utility that creates encrypted passwords like md5pass?

User avatar
francois
Contributor
Contributor
Posts: 4937
Joined: 28 Dec 2010, 14:25
Distribution: kde xfce porteus manjaro kubun
Location: Enfin l'été, le changement climatique attendu: le soleil.

Re: Improve Porteus security

Post#14 by francois » 31 Jan 2015, 19:01

1.0 md5sum:
To my knowledge we do not have something specific to porteus, but md5sum works natively, as I have tried it:
http://ubuntuforums.org/showthread.php?t=1519513

Code: Select all

root@porteus:~# echo "mypass" |md5sum
2b643a4d56186389d84dbb3a9a483e99  -

Code: Select all

root@porteus:~# echo "francois" |md5sum
e604b02c8e7baf3e29cf439f73e6c4dd  -
root@porteus:~#
2.0 A more secure approach are the apg or pwgen packages.
Though reading on the net provides the logic and some packages to generate sound passwords:
https://help.ubuntu.com/community/Stron ... ling%20APG
2.1 The packages:
- apg (quoted from the readme file):
APG (Automated Password Generator) is a tool set for random password
generation.

- pwgen (quoted from the readme file):
Pwgen is a small, GPL'ed password generator which creates passwords which
can be easily memorized by a human.


Here pwgen is said be more mnemonic than apg.

2,2 Installing these packages on porteus.
Both apg and pwgen could be easily installed on porteus thru usm command line:

Code: Select all

root@porteus:~# usm sbo -b apg

Code: Select all

root@porteus:~# usm sbo -b pwgen
Make sur usm repositories are loaded:

Code: Select all

root@porteus:~# usm -u
3.0 The manual approach:
However, in the second mentioned thread, I like very much the manual approach. All you have to do is to be protected from a dictionnary approach attack as the author says.
Voltaire: Le mieux est l'ennemi du bien.

Michele13
Black ninja
Black ninja
Posts: 56
Joined: 18 Aug 2013, 10:23
Distribution: Based on Debian and Slackware
Location: Italy

Re: Improve Porteus security

Post#15 by Michele13 » 07 Feb 2015, 09:53

thanks Francois! Tell me more about the third way: The Manual Approach :)

Post Reply