Regarding sudo - Setup

This is a discussion on Regarding sudo - Setup ; ArameFarpado writes: > Are you saying that matematical operations, for more complex that they > are, can not be done in reverse? sorry, but i don't buy that, it is > against matematical laws. You need to study more math, ...

+ Reply to Thread
Page 3 of 3 FirstFirst 1 2 3
Results 41 to 51 of 51

Thread: Regarding sudo

  1. Re: Regarding sudo

    ArameFarpado writes:
    > Are you saying that matematical operations, for more complex that they
    > are, can not be done in reverse? sorry, but i don't buy that, it is
    > against matematical laws.


    You need to study more math, especially hash functions and cryptography. I
    suggest that you start here:


    > That is just about 1 or 2 seconds for each e attempts... it should have
    > bigger delays growing proportional to the number of failure attempts.


    Not needed. There are only 31,536,000 seconds in a year.
    --
    John Hasler
    john@dhh.gt.org
    Dancing Horse Hill
    Elmwood, WI USA

  2. Re: Regarding sudo

    On 12 Jul, 13:28, ArameFarpado wrote:

    > imagine a trojan changing your own pass to "cracked" and start using sudo...
    > if you are a sudoer, your in big trouble.. the trojan can do whatever he
    > like...


    That's a keyboard monitor. It has *abso****inglutely nothing* to do
    with sudo, and is a vulnerability of anything that uses passwords for
    anything.


  3. Re: Regarding sudo

    On 2007-07-13, ArameFarpado wrote:

    > Are you saying that matematical operations, for more complex that they are,
    > can not be done in reverse? sorry, but i don't buy that, it is against
    > matematical laws.


    You don't buy that? Okay, here you go: If x and y are real
    numbers, and x + y = 42, then what's x? The hashing function
    is similar: easy to compute forward, exceedinly difficult to
    compute backwards.

    --keith

    --
    kkeller-usenet@wombat.san-francisco.ca.us
    (try just my userid to email me)
    AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
    see X- headers for PGP signature information


  4. Re: Regarding sudo

    Em Sexta, 13 de Julho de 2007 04:51, Keith Keller escreveu:

    >> Are you saying that matematical operations, for more complex that they
    >> are, can not be done in reverse? sorry, but i don't buy that, it is
    >> against matematical laws.

    >
    > You don't buy that? Okay, here you go: If x and y are real
    > numbers, and x + y = 42, then what's x?

    Doesn't matter at all, if only the hash is tested for match, all possible
    results going backwords are valid results

    x & y could be, 30+12, 40+2, 10+32, no matter... going this way and after
    several operations you will get to lots of valid possibilities

    > The hashing function
    > is similar: easy to compute forward, exceedinly difficult to
    > compute backwards.

    but there is no need to find the exact starting point, all of the possible
    results are valid.

    i really can't see how can a equation be not reversible when it doesn't
    matter if you go back by the same path you came forward in the first place.
    i see no diference starting with "qwertyuiopeer123" processing to a hash,
    picking the hash, reverse the process and get to "m839nsk9" (amoung
    others), if both passwords collide in the same hash.

    i say: if you know the hash, and know the sequence of operations, you can go
    back... you will never know what password was inserted in the beguinning,
    but you will get more than one valid passwords, and i bet every result
    you'll get will be valid for password.

    only the hash is tested for mach !

    regards


  5. Re: Regarding sudo

    ArameFarpado writes:
    > i really can't see how can a equation be not reversible when it doesn't
    > matter if you go back by the same path you came forward in the first
    > place. i see no diference starting with "qwertyuiopeer123" processing to
    > a hash, picking the hash, reverse the process and get to "m839nsk9"
    > (amoung others), if both passwords collide in the same hash.


    Here is an md5sum: 4d5fcfe735a39ff224d7cf2bac0d8aa7 Reverse it. You
    have the source for the program and the algorithm is extensively documented
    on the Web.

    > i say: if you know the hash, and know the sequence of operations, you can
    > go back... you will never know what password was inserted in the
    > beguinning, but you will get more than one valid passwords, and i bet
    > every result you'll get will be valid for password.


    People with PhDs in cryptography disagree with you. Post your source code
    and you'll soon be rich and famous.
    --
    John Hasler
    john@dhh.gt.org
    Dancing Horse Hill
    Elmwood, WI USA

  6. Re: Regarding sudo

    Em Sexta, 13 de Julho de 2007 15:41, John Hasler escreveu:

    >> a hash, picking the hash, reverse the process and get to "m839nsk9"
    >> (amoung others), if both passwords collide in the same hash.

    >
    > Here is an md5sum: 4d5fcfe735a39ff224d7cf2bac0d8aa7 Reverse it. You
    > have the source for the program and the algorithm is extensively
    > documented on the Web.


    Dammit, these aren't just mathematical operations, it also combines logical
    operations (XOR, AND, OR , NOT), and even had studdy a little of bolean
    algebra in my digital electronics studies, this was 20 years ago and i
    can't remember ****...

    they process the password bit by bit and chew it with these logical
    operations, maybe i'm not qualified to write a reverse logical sequence,
    i'm not the only one having the same doubts...

    found this at http://en.wikipedia.org/wiki/MD5

    Vulnerability

    Recently, a number of projects have created MD5 "rainbow tables" which are
    easily accessible online, and can be used to reverse many MD5 hashes into
    strings that collide with the original input, usually for the purposes of
    password cracking.

    and there is also this: http://www.infosec.sdu.edu.cn/paper/md5-attack.pdf

    See? it doesn't matter if the result matches the original password, if bouth
    produce the same hash.




    Ok, but let's not continue this, i know that there is no normal way to pick
    the hash, and i'm focusing now on the timestamp situation...
    and i can't find info if during the timestamp, sudo will allow to be used by
    any program that has the UID of the user that started the timestamp, nor if
    sudo only allows comands typed on a konsole or if it also allows something
    that comeout from a script or program.

    man sudo doesn't especify this and i can't find info about it...

    regards
    ArameFarpado




  7. Re: Regarding sudo

    ArameFarpado wrote:
    >
    > passwords are stored in /etc/passwd or /etc/shadow, encrypted? yes.
    > but the decrypting sequence is also stored in the system, or not even the
    > system could read it.


    UNIX passwords have not been reverse engineered in 40 years.
    More than once they have been switched to stronger encryption
    to ensure they can't be beaten in under a year by brute force
    attacks. If you're the one to beat them, go for it. But you have
    already mentioned elsewhere in the thread that you lack the
    mathematical background to be able to do so. Yet because you
    lack the mathematical background to do so you think someone
    else can. No they can't.

    > no idea ? google for "recover root password" and you will find how to do it:
    >
    > --computer A had it's root password forgoten.
    >
    > --copy files /etc/passwd and /etc/shadow of computer B to a usb-pen.
    >
    > --boot computer A with a live-cd.
    >
    > --replace existing files on disk with the ones on the pen.
    >
    > --now, root password of computer A is the same of computer B


    The flaw in your approach - Show me a remote cracker with physical
    access to my hosts. With physical access I don't even need the
    passwd and shadow files from some other host. All I need to do is
    boot from a CDROM and I can edit those files to remove the password.
    That approach never tells you a password it just sets it.

    Configure sudo to give root without a password and your objections
    are valid. Don't do that. Configure sudo to ask for your password,
    and how is a cracker that gained access to your account going to
    know your passwrd? Only root can set passwords without knowing
    the previous one.

    > do you guys think i'm some newbie that doesn't know what is talking about?


    Absolutely. That's quite clear. You're mixing arguments that require
    physical access with ones available to remote crackers among other
    flaws.


  8. Re: Regarding sudo

    On 2007-07-13, ArameFarpado wrote:
    >
    > Ok, but let's not continue this, i know that there is no normal way to pick
    > the hash, and i'm focusing now on the timestamp situation...
    > and i can't find info if during the timestamp, sudo will allow to be used by
    > any program that has the UID of the user that started the timestamp, nor if
    > sudo only allows comands typed on a konsole or if it also allows something
    > that comeout from a script or program.
    >
    > man sudo doesn't especify this and i can't find info about it...


    Look in man sudoers.

    --keith

    --
    kkeller-usenet@wombat.san-francisco.ca.us
    (try just my userid to email me)
    AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
    see X- headers for PGP signature information


  9. Re: Regarding sudo

    ArameFarpado wrote:
    > there is no root acount. and every thing is made using sudo, so sudo gives
    > access to everything.
    >


    I am running Ubuntu Feisty Fawn Server


    [nathan@linux1] ~ $ su
    Password:
    root@linux1:/home/nathan# id
    uid=0(root) gid=0(root) groups=0(root)
    root@linux1:/home/nathan#

    --
    N. Marshall
    There are 10 types of people in the world:
    Those that know binary
    Those that do not know binary

  10. Re: Regarding sudo

    Em Segunda, 16 de Julho de 2007 23:48, Mr. N. Marshall escreveu:

    > ArameFarpado wrote:
    >> there is no root acount. and every thing is made using sudo, so sudo
    >> gives access to everything.
    >>

    >
    > I am running Ubuntu Feisty Fawn Server
    >
    >
    > [nathan@linux1] ~ $ su
    > Password:
    > root@linux1:/home/nathan# id
    > uid=0(root) gid=0(root) groups=0(root)
    > root@linux1:/home/nathan#
    >


    you have activated your root acount, that is not the default config of
    ubuntu

  11. Re: Regarding sudo

    ArameFarpado wrote:
    > Em Segunda, 16 de Julho de 2007 23:48, Mr. N. Marshall escreveu:
    >
    >> ArameFarpado wrote:
    >>> there is no root acount. and every thing is made using sudo, so sudo
    >>> gives access to everything.
    >>>

    >> I am running Ubuntu Feisty Fawn Server
    >>
    >>
    >> [nathan@linux1] ~ $ su
    >> Password:
    >> root@linux1:/home/nathan# id
    >> uid=0(root) gid=0(root) groups=0(root)
    >> root@linux1:/home/nathan#
    >>

    >
    > you have activated your root acount, that is not the default config of
    > ubuntu

    I never activated anything. All I did was set the password

    sudo passwd root

    I specified a new Linux password for the root user and that's all I did.
    Just because you can't login to X Windows as root doesn't mean the
    account doesn't exist.

    https://help.ubuntu.com/community/RootSudo

    *Perhaps* you are meaning "locked" as per the site above rather than
    de-activated.


+ Reply to Thread
Page 3 of 3 FirstFirst 1 2 3