Looking at the /etc/shadow in our official AMI ami-6e3a6a2b, I observed that root and ec2-user have passwords. Why are they left in? I suppose they do not hurt much, since sshd_config sets PasswordAuthentication and PermitRootLogin to no. Still, I'm just curious what they are.
Even better, let's think in reverse: if the creator accidentially used a real root password, can I crack any interesting servers by cracking the root password and then applying it to bits of Fedora infrastructure (I know it's not 3-DES anymore, but still)?
-- Pete
On Thu, Nov 18, 2010 at 10:19:51PM -0700, Pete Zaitcev wrote:
Looking at the /etc/shadow in our official AMI ami-6e3a6a2b, I observed that root and ec2-user have passwords. Why are they left in? I suppose they do not hurt much, since sshd_config sets PasswordAuthentication and PermitRootLogin to no. Still, I'm just curious what they are.
Even better, let's think in reverse: if the creator accidentially used a real root password, can I crack any interesting servers by cracking the root password and then applying it to bits of Fedora infrastructure (I know it's not 3-DES anymore, but still)?
The passwords seem to be reset in /etc/rc.local by an random string. I was surprised to see the passwords change upon every reboot but it the found the cause and thought that maybe the AMI authors had good reason to set it up this way.
On Fri, 19 Nov 2010, Jan Pazdziora wrote:
On Thu, Nov 18, 2010 at 10:19:51PM -0700, Pete Zaitcev wrote:
Looking at the /etc/shadow in our official AMI ami-6e3a6a2b, I observed that root and ec2-user have passwords. Why are they left in? I suppose they do not hurt much, since sshd_config sets PasswordAuthentication and PermitRootLogin to no. Still, I'm just curious what they are.
Even better, let's think in reverse: if the creator accidentially used a real root password, can I crack any interesting servers by cracking the root password and then applying it to bits of Fedora infrastructure (I know it's not 3-DES anymore, but still)?
The passwords seem to be reset in /etc/rc.local by an random string. I was surprised to see the passwords change upon every reboot but it the found the cause and thought that maybe the AMI authors had good reason to set it up this way.
shouldn't !! lock the password without disabling the account? Or is that behavior different for the root account?
-Mike
On Tue, Nov 30, 2010 at 9:42 PM, Mike McGrath mmcgrath@redhat.com wrote:
shouldn't !! lock the password without disabling the account? Or is that behavior different for the root account?
Yes, I think you're correct. It's my understanding that it is the same for the root account as it is for any other.
-- Jared Smith Fedora Project Leader
cloud@lists.stg.fedoraproject.org