From owner-freebsd-questions@FreeBSD.ORG Fri Feb 12 14:54:14 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A77531065676 for ; Fri, 12 Feb 2010 14:54:14 +0000 (UTC) (envelope-from gormi456@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.154]) by mx1.freebsd.org (Postfix) with ESMTP id 2E3B78FC0A for ; Fri, 12 Feb 2010 14:54:13 +0000 (UTC) Received: by fg-out-1718.google.com with SMTP id e21so33424fga.13 for ; Fri, 12 Feb 2010 06:54:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:cc:subject:references:in-reply-to :content-type; bh=qouiFi0VeyI6nCaqIvD6DGL+SaVI1gVxFyV5qNd1sBQ=; b=fb94ViISewbHprskQkXlctFDy2Vh7Mlk5A1obBsQplwnmkmz2GqUNAYk10t1CxzCR1 0pLd516h+s/5q2mfmuHqEN5ROpaQMeyhyVcb1iwe6BKvRQ8r4VUQXX4bEocUWXEfKev5 6q6UngCkvLN/kQbVl44Uy8VWW6zHc2n0g4Vac= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:cc:subject:references :in-reply-to:content-type; b=Se56kf/FoBH4NYDGrA6MDVNwOeOhikEJCkQcLZoLTG52a1LEFJYpPzyv4NzUfmogSL qlqhbuVg4tZ4i/vSZ/dxpEpk2tH50Zt1WMlBVH6UwPsy6dj7p+FJR5fQxb+7fT0anClD CYE9mlw+Ux3qQp7i8NZ6ZFmlSCvAhEL2zgE24= Received: by 10.87.63.33 with SMTP id q33mr2964213fgk.24.1265986453059; Fri, 12 Feb 2010 06:54:13 -0800 (PST) Received: from ?172.31.35.40? (17-106.206-83.static-ip.oleane.fr [83.206.106.17]) by mx.google.com with ESMTPS id e3sm1128522fga.6.2010.02.12.06.54.12 (version=SSLv3 cipher=RC4-MD5); Fri, 12 Feb 2010 06:54:12 -0800 (PST) Message-ID: <4B756B93.7070008@gmail.com> Date: Fri, 12 Feb 2010 15:54:11 +0100 From: Julien Gormotte User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.7) Gecko/20100111 Lightning/1.0b1 Thunderbird/3.0.1 MIME-Version: 1.0 CC: freebsd-questions@freebsd.org References: <0B47F5A9-A603-408F-A727-E81739E539C5@andersonbrothers.biz> <201002091059.27019.mike.jeays@rogers.com> <201002120124.o1C1OS3o015060@banyan.cs.ait.ac.th> <4B751F70.8060402@gmail.com> <20100212080524.B67483@starfire.mn.org> <6201873e1002120619rc40fb34n98bbb2b0db8b6b43@mail.gmail.com> In-Reply-To: <6201873e1002120619rc40fb34n98bbb2b0db8b6b43@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: PASSWORD LOST!! X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Feb 2010 14:54:14 -0000 Le 12/02/2010 15:19, Adam Vande More a écrit : > On Fri, Feb 12, 2010 at 8:05 AM, John > wrote: > > People, people - be careful that we are not creating a formula to > break into FreeBSD servers around the world... > > The only acceptable solution is for someone in Eric's organization > to secure physical access to the server. It may be in a co-lo > situation, but if that's true, they must have a contract open and, > if nothing else, they terminate the contract and get the machine > back, though more likely, the contract allows them supervised > access. Machines are not perfect - even without losing the root > password, they break and need maintenance - this is a MAINTENANCE > event and should be treated as such, just like a hard drive failure > or a NIC failure. > > Creating a scheme for someone to break into FreeBSD systems remotely > or to publicize schemes people have created to remotely manage their > systems in ways that could be used to compromise them is foolishness! > > Regardless of the purity of his intention, Eric is asking us to > tell him how to break into our homes or steal our cars. ;) > > > Security through obscurity is no security, hence it is a good exercise. > > > -- > Adam Vande More I have to agree. Plus, these ways of setting root password are not "breaking into" the server. If you have a KVM over IP, it is like physical access. And rescue disks are used for these kinds of situation (among others, like kernel config errors and such). These methods are just what they are : recovery methods. In a dedicated server situation, you are supposed to be the only one to have access to the rescue systems. If we were discussing about gainig root privileges from a normal user account, or remotely (using security holes in php scripts, or in CGI, or... any other thing...), your complaint would somehow make sense (but in fact, it wouldn't, because these security holes don't have to be hidden, they have to be corrected).