[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Disable Root Recovery



On Mon, 2006-03-13 at 18:07 +0000, James Wilkinson wrote:
> Feris Thia wrote:
> > I've heard that root access can be recovered if we forget the password
> > or something causes authentication failed. How is that done ?
> 
> One way of doing it is to use a live CD (e.g. Knoppix) and mounting the
> Fedora drives, then resetting the root password. I understand that the
> Fedora recovery CD can do this as well. Alternatively, you could just
> temporarily install the hard drive in another PC.
> 
> Another way is to play with the kernel command line in grub, asking the
> kernel to use a shell instead of init.
> 
> Obviously, this all needs physical access.
> 
> > And if so... I want it to be completely unrecoverable.. How can I do that ?
> 
> You would have to have an encrypted root filesystem. Googling suggests
> http://www.linuxjournal.com/article/7743 might be one place to start.

> Please note that you will be leaving standard Fedora behind. You will
> have to put something like exclude=initscripts in your /etc/yum.conf,
> and you will not be able to (easily) upgrade this box from one Fedora
> version to another: you will have to repeat the whole process.

	Actually, it's not all that difficult.  I've got some scripts for using
dm-crypt that modify the initrd image and add a few scripts and binaries
and then write the thing out to a USB key.  You boot from the USB key
and enter a master password and it then decrypts and mounts the root
file system.  The boot key has utility options encrypting and decrypting
the partitions.  Each time you update your system, you just rerun the
setup script and it freshens up your key with the new kernel.  If you
don't also encrypt your boot partition, you can boot from the hard drive
(I've got a "Boot of Last Resort" option in there that allows you to
just decrypt your boot partition and reboot in case you forgot to update
your key) and enter your master password there.  It also produces a CD
image that can be burned for a boot CD.

	I update the system, all the time, with yum, no problem.  It's just
that, if the kernel gets updated, you have to rerun the script for each
USB key (I keep backups, needless to say).  To upgrade the system to a
new version of Fedora Core, you would either have to use the, not
recommended, yum upgrade method or, if you are going to boot a hard CD
install boot, decrypt the partitions in place, upgrade the system,
rebuild the keys, and then (presuming the new system didn't break the
crypto setup scripts) reencrypt the partitions.  I get to figure out how
well that works when FC5 comes out.  ;-)  I doubt not that the scripts
will need some tinkering then.

	The scripts let you encrypt or decrypt your partitions in place back
and forth at will and support encrypted swap (static encryption) or
randomly encrypted swap (new random key at each boot - no suspend to
swap here).  Never been tested with LVM, though...

	I did a presentation on it last year for the Atlanta Linux Enthusiasts
(ALE).  The presentation and the scripts are available here, if anyone
is interested:

	http://www.wittsend.com/mhw/2005/encrypt-this/

	It requires busybox and and cryptsetup-luks, but nothing radical and
it's all added on top of FC.  I didn't even modify mkinitrd the way some
people have.  I just patch the initrd blob after the fact.

> Hope this helps,

> James.
> 
> -- 
> E-mail address: james | Beneath this stone lies Murphy,
> @westexe.demon.co.uk  | They buried him today,
>                       | He lived the life of Riley,
>                       | While Riley was away.

	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw WittsEnd com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]