From owner-freebsd-questions@FreeBSD.ORG  Tue Mar  3 12:55:12 2015
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 0F07D51B
 for <freebsd-questions@freebsd.org>; Tue,  3 Mar 2015 12:55:12 +0000 (UTC)
Received: from bede.qeng-ho.org (bede.qeng-ho.org [217.155.128.241])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 9DCBB77D
 for <freebsd-questions@freebsd.org>; Tue,  3 Mar 2015 12:55:11 +0000 (UTC)
Received: from arthur.home.qeng-ho.org (arthur.home.qeng-ho.org [172.23.1.2])
 by bede.home.qeng-ho.org (8.14.9/8.14.7) with ESMTP id
 t23Ct1Yp021107; Tue, 3 Mar 2015 12:55:03 GMT
 (envelope-from freebsd@qeng-ho.org)
Message-ID: <54F5AF25.7000303@qeng-ho.org>
Date: Tue, 03 Mar 2015 12:55:01 +0000
From: Arthur Chance <freebsd@qeng-ho.org>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: fluxwatcher@gmail.com, freebsd-questions@freebsd.org
Subject: Re: Check root password changes done via single user mode
References: <54F56A83.3000404@gmail.com>
 <CA+yaQw_3JJ2tJm32or-UmSpfMFo_jCn_JD1xFw=1E9i9K2reDg@mail.gmail.com>
 <54F57CD9.2000707@gmail.com>
In-Reply-To: <54F57CD9.2000707@gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Mar 2015 12:55:12 -0000

On 03/03/2015 09:20, Ricardo Martín wrote:
>
> Indeed, that would be a way of checking the password change, but I was
> more interested in whether such a change could be flagged as being
> carried out from single user mode.
> Or in another words whether the root's passwords has been reset
> accessing the machine during the boot process.
>
> On 03/03/15 09:50, Daniel Peyrolon wrote:
>> What I would do is storing a copy of root's password hash somewhere, and
>> compare it with the recent one.
>> The hash can be read at master.passwd (check passwd(5)).
>>
>> El mar., 3 de marzo de 2015 a las 9:02, Ricardo Martín (<
>> fluxwatcher@gmail.com>) escribió:
>>
>>> hi all,
>>>
>>> wondering which would be the best approach to script check if the root
>>> password has been changed via single user mode.

What threat model are you considering? If you're worried about someone 
without normal root access but with access to the console rebooting into 
single user mode and changing the password, mark the console as insecure 
in /etc/ttys, and then the root password will be needed to log in even 
in SUM.

As Bruce Schneier says, there's no such thing as perfect security, it 
all depends on what costs (in money, time, or effort) attacker and 
defender are prepared to pay.

-- 
Those who do not learn from computing history are doomed to
GOTO 1