Slashdot Mirror

← Back to Stories (view on slashdot.org)

Debian Locks Out Developers

Posted by ryuzaki0 on from the in-the-name-of-safety dept.

daria42 wrote in with an update to an earlier story about a Debian server that was compromised. He explains: "The Debian GNU/Linux project has discovered a compromised developer account was used to gain access to a server compromised this week. A local kernel vulnerability was then used to gain root access. Due to this, a number of developers with weak passwords have been locked out of their system accounts." To be fair, they'll most likely be let in once everything's back to normal. Of course, they'll probably need to set safer passwords too.

11 of 331 comments (clear)

  1. Re:So? by PetriBORG · · Score: 3, Interesting

    I guess I should be more specific. My point was that people were puting strings of letters and or numbers in sequence as their password because they were forced to change them so frequently. I would argue that any string which is sequential is less secure then a randomized number. Like putting 1234 as your ATM pin... it leads to easy shoulder serfing.

    Thus people would pick their first name, Peter123 if I was to use my own name as an example. I'm comparing this to passwords that I had to use at Sandia National Labs which were randomized letters and number strings generated by computer, the user was presented with a screen of 30 passwords and you were allowed to pick any of the 30, or to generate a screen of 30 more passwords... The people would pick things that made sense to them but were completely randomized and were never a dictionary word or even a common short hand for the words etc.

    --
    Pete/Petri "damn, my chainsaw is clogged with 1's and 0's again." --clyde
  2. Re:Ah. balance by eklitzke · · Score: 2, Interesting

    The obvious alternative is to completely disable password based ssh authentication, and force everyone to use public/private key authentication. That way you don't have to worry about the strength of your users passwords.

    --
    #include ".signature"
  3. Secure Passwords lead to Insecure Passwords by cloricus · · Score: 5, Interesting

    I have noticed what you talk about though I've seen it go to further extremes. While at work (we run a mainly Windows network with a few hundred users) I've done further education (out side of Uni) at Australian TAFEs (basically vocational collages) in Queensland - the TAFE I went to runs a pure Windows network with around twenty thousand plus users over several sites...Any one who has been to one of these TAFEs understands how much of a raping they have taken from Microsoft, and I say raping because they run the 'perfect Windows network' following all of Microsoft guidelines etc which mean some machines take over fifteen minutes to log in and are laggy as all hell once they are in.

    Anyway onto the topic. They also follow the recommended guidelines for passwords which includes at least one capital, two numbers, over six chars, and cannot be any of your previous passwords (with I believe a 80% match so you can't just add a 1 or a 2 to it) and these roll every thirty days. Now as a geek I have my own unique password system where no two are the same, they are long, and they have numbers, and at least one capital - unfortunately there is only five or six possible combinations that meet the password system for each item meaning after five months going to this TAFE (I was there a year part time) I ran out of passwords. This put me on the tred mill that every one else had been on for a few months (they did a fresh roll over to XP from 98 at the start of last year) of forgetting the password (that I made up to get into the system after my old one expired) or where I wrote it down (yes, every one wrote down their passwords in blatant places so they could find them again, which to me makes passwords null anyway) and then starting to use generic passwords that every one else was using that month for example t4f3IsShit or fUkp455words and the like. As you can probably see this just ends up a mockery of the idea.

    So basically the point I'm trying to make is you have to be careful with what you mean by a 'good set of password rules' as if you go overboard even to the slightest extent (as I've seen happen time and time again) passwords just become a joke and you may as well not have them.

    Personally I've found that if you teach people/users what a secure password is, teach them not to tell it to any one, get them to use firefox to avoid keyloggers, and then enforce a six to twelve month roll over no problems ever come up. That's my happy medium and 2cents anyway. :)

    --
    I ate your fish.
  4. Re:ssh2 keys? by Just+Some+Guy · · Score: 3, Interesting
    This is a good idea, although distribution is a problem. The key could be sent in an encrypted mail to the user, with the password set to something specified in another encrypted mail.

    Ummm, no. Debian takes the whole "web of trust" thing seriously. That means that developer joecoder@example.com generates his own SSH public key and sends it in a signed email to the development server's administrator. That person verifies the email signature and puts the key in ~joecoder/.ssh/authorized_keys. Nothing more need be done.

    --
    Dewey, what part of this looks like authorities should be involved?
  5. Re:password requirements by Bostik · · Score: 4, Interesting

    Hopefully then they will also implement a good set of password rules and enforce them...

    I have a suggestion. Dump the password based access altogether. These are Debian developers, who by their position already NEED to both know and understand how to use GPG for signing their uploads. The concept of public-key access control/validation is their bread and butter.

    Allow only public-key SSH access to Debian machines. Period.

    That way, to compromise Debian server(s), any potential attacker would need to daisy-chain their targets. Break a developer's home or work box first, get their keys and their passphrases. Only then can they proceed to bigger targets.

    --
    There is no such thing as good luck. There is only misfortune and its occasional absence.
  6. Re:ssh2 keys? by AirLace · · Score: 2, Interesting

    Sure, but that's why every Debian developer has to have a GPG key. It's a requirement of the project, and GPG keys are proof of identity and revocable, and what's more, they can be used to sign SSH keys. That's how freedesktop.org works, and that's how Debian would have been working today if its hierarchy of command hadn't crumbled years ago and someone were actually in the position to mandate that logins should be done by PKI.

    That said, pretty much everything else in the Debian project appears to work fine without centralised control -- it's just the little things like this that slip.

  7. Re:Oh the irony! by Architect_sasyr · · Score: 3, Interesting
    Oh yeah? Someone has been playing on their network for months, and we know of it only because one of their employees blabbed about it.


    As no doubt others will make the same case, the difference here is not that Debian got pwned or the Microscum (personal bias aside ;) are any worse/better. The deal is that Microsoft stands to lose a hell of a lot more by saying they have been owned, especially with the new "secure" vista coming out.

    Anyone know of the latest citibank cracks? Funny, no banks will tell us that they have been cracked, yet they are not ripped on as much...
    --
    Me failed English...
    FreeBSD over Linux. If my comments seem odd, this may explain...
  8. Re:Keys need protection as well by Bishop · · Score: 2, Interesting

    CVE-2006-1173 is vulnerability in Sendmail. Debian uses Exim by default. Why would CVE-2006-1173 cause you to ditch debian?

  9. Password policy: OK, but user policy? by gedeco · · Score: 1, Interesting

    He does one choose users, aka developpers on debian?

    If for instances someone wan to be a debian developper, creates his account Bill.Gates@debian.org choose on purpose a weak password (does not matter) and then has been in contact evil@hacker.org who managed to get the password.
    In case Bill Gates would obtain a developper status, I wouldn't wonder he would open source his password to any hacker arround.

    But seriously, no FUD: How do they work to trust their developpers.
    I can't imagine I'm writting a little tiny app, knock on the debian door and they would open it. This is user trust policy.

  10. how did he get root? by Intangion · · Score: 2, Interesting

    how did he get root from shelling in as a user?
    i was under the impression that exploits that are patched as soon as they are discovered
    id hope a debian developer machine wouldn't allow any kind of known exploit

  11. Re:Ah. balance by corychristison · · Score: 2, Interesting

    To clarify, I was being completely serious.

    I've often thought of developing a script to dictionary all of my more uncommonly used passwords, but I usually have no problem remembering them.
    The days that I do struggle to remember are usually my more sluggish days and I'm usually lazing around in bed or something anyway.

    How I remember them is i generate one long string 25+ characters. From there I eliminate characters until it resembles a word / phrase [or random word sequence -- doesn't necessarily have to make sense as a sentence/phrase]. Then I practice typing it in a few times and I usually get it. If I struggle with it, I will go back through the process again until I find something I can remember.

    Here's an example random string: UcgcDis07PtuFO19MilARdAcVdyA
    I would eliminate characters until I read it as: UgcDi07PuFO19MilARdAc -- u-GC [as in university-GC] Di07 [makes me think of die-007] Puffo 19 Milar [I think if Miller Beer] dAc [duck? -- but "gangsta" style?]
    No. That's not one of my passwords... just an example. ;-)