On Mon, 2006-03-13 at 18:07 +0000, James Wilkinson wrote: > Feris Thia wrote: > > I've heard that root access can be recovered if we forget the password > > or something causes authentication failed. How is that done ? > > One way of doing it is to use a live CD (e.g. Knoppix) and mounting the > Fedora drives, then resetting the root password. I understand that the > Fedora recovery CD can do this as well. Alternatively, you could just > temporarily install the hard drive in another PC. > > Another way is to play with the kernel command line in grub, asking the > kernel to use a shell instead of init. > > Obviously, this all needs physical access. > > > And if so... I want it to be completely unrecoverable.. How can I do that ? > > You would have to have an encrypted root filesystem. Googling suggests > http://www.linuxjournal.com/article/7743 might be one place to start. > Please note that you will be leaving standard Fedora behind. You will > have to put something like exclude=initscripts in your /etc/yum.conf, > and you will not be able to (easily) upgrade this box from one Fedora > version to another: you will have to repeat the whole process. Actually, it's not all that difficult. I've got some scripts for using dm-crypt that modify the initrd image and add a few scripts and binaries and then write the thing out to a USB key. You boot from the USB key and enter a master password and it then decrypts and mounts the root file system. The boot key has utility options encrypting and decrypting the partitions. Each time you update your system, you just rerun the setup script and it freshens up your key with the new kernel. If you don't also encrypt your boot partition, you can boot from the hard drive (I've got a "Boot of Last Resort" option in there that allows you to just decrypt your boot partition and reboot in case you forgot to update your key) and enter your master password there. It also produces a CD image that can be burned for a boot CD. I update the system, all the time, with yum, no problem. It's just that, if the kernel gets updated, you have to rerun the script for each USB key (I keep backups, needless to say). To upgrade the system to a new version of Fedora Core, you would either have to use the, not recommended, yum upgrade method or, if you are going to boot a hard CD install boot, decrypt the partitions in place, upgrade the system, rebuild the keys, and then (presuming the new system didn't break the crypto setup scripts) reencrypt the partitions. I get to figure out how well that works when FC5 comes out. ;-) I doubt not that the scripts will need some tinkering then. The scripts let you encrypt or decrypt your partitions in place back and forth at will and support encrypted swap (static encryption) or randomly encrypted swap (new random key at each boot - no suspend to swap here). Never been tested with LVM, though... I did a presentation on it last year for the Atlanta Linux Enthusiasts (ALE). The presentation and the scripts are available here, if anyone is interested: http://www.wittsend.com/mhw/2005/encrypt-this/ It requires busybox and and cryptsetup-luks, but nothing radical and it's all added on top of FC. I didn't even modify mkinitrd the way some people have. I just patch the initrd blob after the fact. > Hope this helps, > James. > > -- > E-mail address: james | Beneath this stone lies Murphy, > @westexe.demon.co.uk | They buried him today, > | He lived the life of Riley, > | While Riley was away. Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@xxxxxxxxxxxx /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Attachment:
signature.asc
Description: This is a digitally signed message part
