Followed "Hardening CentOS" Guide - Can no longer log in

Support for security such as Firewalls and securing linux
Post Reply
oogabubchub
Posts: 2
Joined: 2011/04/04 08:22:12

Followed "Hardening CentOS" Guide - Can no longer log in

Post by oogabubchub » 2011/04/04 08:36:13

Please excuse my extreme frustration - I recently followed the CentOS Hardening guide (http://wiki.centos.org/HowTos/OS_Protection) and can no longer log into SSH because there was no clarification that passwords would need to be reset after changing the md5 hashing scheme. These are the instructions found in the guide:

[quote]The command below will update your system to use sha512 instead of md5 for password protection. This alleviates a number of bureaucratic security issues regarding the security of md5 for password protection. It also keeps the people wearing tinfoil hats happy too.

[code]authconfig --passalgo=sha512 --update[/code][/quote]

Now, it may seem obvious to many of you that passwords set before the change would no longer work, but some of us are new to configuring servers (and even working with Linux). It would have been nice if that crucial step had been mentioned. Because it wasn't, my root password no longer works.

Any ideas on how to fix this? Am I going to have to have the entire OS re-installed, thus negating the days of awful stumbling in the dark trying to configure this server? Note: I purchased the server space from a hosting company, so I don't have physical access to the server.

I've also posted this question over at Server Fault:
http://serverfault.com/questions/255307/passwords-no-longer-work-after-changing-security-settings

User avatar
TrevorH
Forum Moderator
Posts: 30559
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Followed "Hardening CentOS" Guide - Can no longer log in

Post by TrevorH » 2011/04/04 09:59:02

Do you still have ssh access to the server using a normal userid? Does that userid have sudo access? If so then you can get root access that way and reset the password. Otherwise I think you will need to boot from CD/DVD in rescue mode and change the password that way - this will not require a complete reinstallation.

Evolution
Posts: 229
Joined: 2005/02/22 16:10:54
Location: Houston Texas
Contact:

Followed "Hardening CentOS" Guide - Can no longer log in

Post by Evolution » 2011/04/04 13:22:33

The authconfig command is not your problem.
The system will still honor older md5 style passwords, however any NEW password will be created with sha512 encryption. This is handled via the beginning strings of the password in /etc/shadow. You'll either see a $1$ for md5 passwords, or a $6$ for the sha512 passwords. It works fine.

Most likely, you removed root's ability to log into the system from anything except the physical terminal because that's spelled out earlier in the guide.

There are other options of course, but it sounds a bit like you followed the steps of the guide without testing them or without fully reading and understanding what they do to your system.

User avatar
toracat
Forum Moderator
Posts: 7462
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

Re: Followed "Hardening CentOS" Guide - Can no longer log in

Post by toracat » 2011/04/04 15:54:44

Just a short note to add that [b]Evolution[/b] is the author of that CentOS wiki article. :-)

oogabubchub
Posts: 2
Joined: 2011/04/04 08:22:12

Re: Followed "Hardening CentOS" Guide - Can no longer log in

Post by oogabubchub » 2011/04/04 18:59:22

[quote]
Evolution wrote:
The authconfig command is not your problem.
The system will still honor older md5 style passwords, however any NEW password will be created with sha512 encryption. This is handled via the beginning strings of the password in /etc/shadow. You'll either see a $1$ for md5 passwords, or a $6$ for the sha512 passwords. It works fine.

Most likely, you removed root's ability to log into the system from anything except the physical terminal because that's spelled out earlier in the guide.

There are other options of course, but it sounds a bit like you followed the steps of the guide without testing them or without fully reading and understanding what they do to your system.[/quote]While I wish that were the case, it's not. I did in fact read everything I changed, and therefore I skipped the part where it restricts roots ability to log in anywhere else. If it's not the encryption change, the only other reason I could see that I'm having problems is the Pam modifications. These modifications also started giving me an error before I signed off - "passwd: Module is unknown" when trying to change a users password.

Evolution
Posts: 229
Joined: 2005/02/22 16:10:54
Location: Houston Texas
Contact:

Re: Followed "Hardening CentOS" Guide - Can no longer log in

Post by Evolution » 2011/04/04 19:29:38

That could indeed be an issue with the system-auth pam file. If you're not able to get into the system remotely, then you would need to be able to connect to rescue mode somehow (remote KVM etc).

Post Reply

Return to “CentOS 5 - Security Support”