PDA

View Full Version : Securing Knoppix - is it possible?


jensen
04-02-2003, 10:27 PM
How do I secure knoppix so that a user can't do a Control-Alt-F2 and get a root shell?

After setting up and configuring kdm and kdmrc, I can secure the GUI login, but I haven't found a way of preventing a passer-by to do a Control-Alt-F2 and become root. Is this possible?

Lars.
rickenbacherus
04-02-2003, 10:28 PM
http://www.knoppix.net/docs/index.php/FaqUsing
jensen
04-02-2003, 10:33 PM
Sorry, I don't understand what you're referring to here. I checked your link, but didn't find the answer to my question. Could you please be a little more verbose?

Thanks for your help.
Lars.
rickenbacherus
04-02-2003, 10:54 PM
I actually have Knoppix installed to my hard drive and I'm not able to boot the cd at this particular moment so I can't say for sure but I think setting a password should do the trick. Post back if not.
jensen
04-02-2003, 11:02 PM
No, I tried that already. I set a password, and issued an exit to logout of terninal 2, but it didn't log me out....

Thanks,
Lars.
RockMumbles
04-03-2003, 04:57 PM
Look at /etc/inittab near the bottom you should see the tty lines like this:

From my knoppix live cd session:

# <id>:<runlevels>:<action>:<process>
# 4 virtual consoles with immortal shells
1:12345:respawn:/bin/bash -login >/dev/tty1 2>&1 </dev/tty1
2:2345:respawn:/bin/bash -login >/dev/tty2 2>&1 </dev/tty2
3:2345:respawn:/bin/bash -login >/dev/tty3 2>&1 </dev/tty3
4:2345:respawn:/bin/bash -login >/dev/tty4 2>&1 </dev/tty4


These lines are from my debian woody system:


1:2345:respawn:/sbin/getty 38400 tty1
2:23:respawn:/sbin/getty 38400 tty2
3:23:respawn:/sbin/getty 38400 tty3
4:23:respawn:/sbin/getty 38400 tty4
5:23:respawn:/sbin/getty 38400 tty5
6:23:respawn:/sbin/getty 38400 tty6

either comment out the tty lines so you have no logged in terminals started up, or change them to getty lines like a stock linux would use.

rock
Dave_Bechtel
04-04-2003, 09:40 AM
--This is good; but should your GUI fail, you would have no way to log in. Always leave yourself a failsafe:

S0:12345:respawn:/sbin/agetty -L 9600 ttyS0

--This enables you to login over the Serial port.


Look at /etc/inittab near the bottom you should see the tty lines like this:

From my knoppix live cd session:

# <id>:<runlevels>:<action>:<process>
# 4 virtual consoles with immortal shells
1:12345:respawn:/bin/bash -login >/dev/tty1 2>&1 </dev/tty1
2:2345:respawn:/bin/bash -login >/dev/tty2 2>&1 </dev/tty2
3:2345:respawn:/bin/bash -login >/dev/tty3 2>&1 </dev/tty3
4:2345:respawn:/bin/bash -login >/dev/tty4 2>&1 </dev/tty4


These lines are from my debian woody system:


1:2345:respawn:/sbin/getty 38400 tty1
2:23:respawn:/sbin/getty 38400 tty2
3:23:respawn:/sbin/getty 38400 tty3
4:23:respawn:/sbin/getty 38400 tty4
5:23:respawn:/sbin/getty 38400 tty5
6:23:respawn:/sbin/getty 38400 tty6

either comment out the tty lines so you have no logged in terminals started up, or change them to getty lines like a stock linux would use.

rock
Henk Poley
04-04-2003, 08:49 PM
--This enables you to login over the Serial port.
Uhm, handy, now I have always a spare serial-2-serial cable hanging around...

Not to upset you but, I don't think this is very usefull for the average newbie user.
rickenbacherus
04-04-2003, 11:18 PM
Not to upset you but, I don't think this is very usefull for the average newbie user.

No perhaps not, however I have an old 486 laptop with no other way to connect to the internet than serial ->null modem cable and this has been quite useful for me.

right on Rock, Dave.
Dave_Bechtel
04-05-2003, 11:34 PM
--Linux is not for newbies that want to REMAIN newbies. WinDoze is good enough for them. I'm an old DOS hound, used to the command line, and it was still a *steep* learning curve for me. It's taken me *years* of reading everything I could get my hands on about Linux to reach this point, where I am able to help the majority of people posting on this board.

--You have to have a certain mentality going in to Linux usage - a willingness to experiment, to do research (LOTS of research), to ask for help, and eventually give back to the community in some way.

--I don't mind helping people out - I'll give it a shot if I have something to contribute. I'll even try again and again if what I posted isn't working for them... But I'm not here to hold people's hands and babysit. At some point they need to have the confidence to do things on their own. If somebody's too afraid to type something on the command line, well maybe they should *hire* someone to help them with that Linux install. This *is* a free-support forum after all. :roll:

--Disabling *all* login ttys is something of a newbie-trap. Basically it leaves you with a ticking-time-bomb system that will need a reboot unless you have *some* way to get in; whether it's ssh (and what if your network is down?) or direct-serial connection. I don't take offense at your post, Henk; but if my contribution didn't help the "newbie" I don't really mind - it *will* help others.

--BTW, I would increase the port rate from 9600 to 115200 as well. ;-)



--This enables you to login over the Serial port.
Uhm, handy, now I have always a spare serial-2-serial cable hanging around...

Not to upset you but, I don't think this is very usefull for the average newbie user.