Improve Porteus security

[Michele13]

Is there any way to improve porteus security? Eg. Disabling autologin cheatcode, changing default root and guest password (how does porteus wizard achieve that?) In this Post Brokenman mentions his tutorial, where can I find it?
http://forum.porteus.org/viewtopic.php? ... ial#p25650

[beny]

hi, the autologin it is possible only in init4 mode and if i remember well,and you boot system as guest,the init 3 or txt mode if you want login manually, the password root or guest you can change via porteus setting centre

[Michele13]

Yes, but they will not be saved if changes are not enabled. If I know how porteus works I can easily boot up without a password and do what I want...

[beny]

if you want you can unsquashfs the core.xzm put your changes into the directories and repack the core,the save changes folder is useful but if you want something as you wish,you can hard code your changes into core.xzm module,so no one can start the system,if you don't want.
or if you have a clean porteus system make your changes and start the save changes script,this script allow you to do a xzm module of the last 3 minutes changes so your password and other security changes are packed in.

[Michele13]

Ok, now how can I remove the autologin cheat?

[beny]

hi if you put # the autologin entry is not visible to the boot windows so you have to log in in text mode with password and user or root, the porteus.cfg is located in boot directory
#LABEL gui
#MENU LABEL Graphics mode (XFCE)
#KERNEL vmlinuz
#APPEND initrd=initrd.xz changes=/porteus
Run Porteus the best way we can.
Try to autoconfigure graphics
card and use the maximum
allowed resolution
ENDTEXT

[Michele13]

Or better yet we can password protect the bootloader (syslinux, extlinux)

MENU PASSWD passwd

(Only valid after a LABEL statement, or a MENU BEGIN statement.)
Sets a password on this menu entry. "passwd" can be either a cleartext password or a password encrypted with one of the following algorithms:

MD5 (Signature: $1$)
SHA-1 (Signature: $4$)
SHA-2-256 (Signature: $5$)
SHA-2-512 (Signature: $6$)

Use the included Perl scripts "sha1pass" or "md5pass" to encrypt passwords. MD5 passwords are compatible with most Unix password file utilities; SHA-1 passwords are probably unique to Syslinux; SHA-2 passwords are compatible with very recent Linux distributions. Obviously, if you don't encrypt your passwords they will not be very secure at all.

If using passwords, make sure to use "NOESCAPE 1" and "PROMPT 0", and either set "ALLOWOPTIONS 0" or use a master password (see below).

If passwd is an empty string, this menu entry can only be unlocked with the master password.


MENU MASTER PASSWD passwd

Sets a master password. This password can be used to boot any menu entry, and is required for the [Tab] and [Esc] keys to work.

[francois]

Autologin has nothing to do with changes cheatcode. It has to do with login cheatcode:
http://www.porteus.org/tutorials/26-gen ... -them.html

Code: Select all

login=user_name
... Lets you specify the name of the user (could be also 'root')
which will be autologged into GUI session.
If username is not provided then booting stops on the lxdm/kdm
login screen.

Just add the login= cheatcode to your syslinux menu (leaving it empty). This way you should not get autologin and stop to the login script.

Keeping with the guest (porteus normal user account) has been reported by fanthom in other threads has the best practice instead creating other normal accounts. Just change the password for root and guest. To do this you will need to keep the changes cheatcode.

[Michele13]

I've tested the login cheat and oddly it does not work... it's better to edit the /etc/slim.conf file and disable autologin from there (does porteus use slim on any DE?)

[tome]

/etc/lxdm/lxdm.conf

[fanthom]

@Michele13
have you pulled latest updates through PSC?
i guess not ...

[beny]

hi michele13 you can do as you wish in this way:
LABEL gui
MENU PASSWD beny
MENU LABEL Graphics mode (XFCE)
KERNEL vmlinuz
APPEND initrd=initrd.xz changes=/porteus guiexec=/usr/bin/tvhed.sh
Run Porteus the best way we can.
Try to autoconfigure graphics
card and use the maximum
allowed resolution
ENDTEXT

after the label you can insert your password, mine is clear as the example above, your can do encrypted ,the goal is when you choose the boot option before you use it the password is required so you have the security option always on ,you can use password for all the label option.

[Michele13]

Does porteus have a utility that creates encrypted passwords like md5pass?

[francois]

1.0 md5sum:
To my knowledge we do not have something specific to porteus, but md5sum works natively, as I have tried it:
http://ubuntuforums.org/showthread.php?t=1519513

Code: Select all

root@porteus:~# echo "mypass" |md5sum
2b643a4d56186389d84dbb3a9a483e99  -

Code: Select all

root@porteus:~# echo "francois" |md5sum
e604b02c8e7baf3e29cf439f73e6c4dd  -
root@porteus:~#

2.0 A more secure approach are the apg or pwgen packages.
Though reading on the net provides the logic and some packages to generate sound passwords:
https://help.ubuntu.com/community/Stron ... ling%20APG
2.1 The packages:
- apg (quoted from the readme file):
APG (Automated Password Generator) is a tool set for random password
generation.
- pwgen (quoted from the readme file):
Pwgen is a small, GPL'ed password generator which creates passwords which
can be easily memorized by a human.

Here pwgen is said be more mnemonic than apg.

2,2 Installing these packages on porteus.
Both apg and pwgen could be easily installed on porteus thru usm command line:

Code: Select all

root@porteus:~# usm sbo -b apg

Code: Select all

root@porteus:~# usm sbo -b pwgen

Make sur usm repositories are loaded:

Code: Select all

root@porteus:~# usm -u

3.0 The manual approach:
However, in the second mentioned thread, I like very much the manual approach. All you have to do is to be protected from a dictionnary approach attack as the author says.

[Michele13]

thanks Francois! Tell me more about the third way: The Manual Approach