Safety issues with numeric login and sudo passord

Safety issues with numeric login and sudo passord - Printable Version

+- PINE64 (https://forum.pine64.org)
+-- Forum: PinePhone (https://forum.pine64.org/forumdisplay.php?fid=120)
+--- Forum: General Discussion on PinePhone (https://forum.pine64.org/forumdisplay.php?fid=127)
+--- Thread: Safety issues with numeric login and sudo passord (/showthread.php?tid=14347)

Safety issues with numeric login and sudo passord - Line - 07-03-2021

I can’t be the only n00b PinePhone-owner who’s not too excited about how my ordinary user can sudo with the PinePhone’s lockscreen PIN-code? This is the case in both Manjaro and Mobian. If one should be the victim of a brute force password attack, even a 16-20 digit numerical password is cracked before you can blink, and the attacker can log in as root with it. Numerical password is also a lot easier to see (few, big buttons) and memorize in a «over the shoulder password attack» than be an alphanumerical one with upprcase, lowercase and special characters.

I have actual enemies skilled in «pentesting» (cracking) who have subjected every aspect of my digital life to targeted attacks, often successfully, so my need for device security probably exceeds the average internet surfer, but even the typical average user with no personal enemies could get hurt by crackers who have the knowledge of this numerical password issue on Mobian and Manjaro.

I’ve tried several guides found online, for setting privileges and demanding root passwd for sudo, but there aren’t as many n00bs posting these stupid questions about Mobian or ManjaroARM as there are people answering these questions about desktop Ubuntu. Please help! How to fix this on different distros respectively? Removing sudo privileges will permanently lock you out of root on Mobian because the only way to log in as root is sudo -i with the lockscreen PIN code, while on ManjaroARM that might be a solution. Please help!

RE: Safety issues with numeric login and sudo passord - dukla2000 - 07-03-2021

Don't use phosh! Try Openbox or LXDE.

RE: Safety issues with numeric login and sudo passord - KC9UDX - 07-03-2021

Can't you remove the user from the sudoers file? Or uninstall sudo?

RE: Safety issues with numeric login and sudo passord - Line - 07-03-2021

(07-03-2021, 04:00 PM)KC9UDX Wrote: Can't you remove the user from the sudoers file? Or uninstall sudo?

Not on Mobian, cause it will permanently lock you out of the root account. On Mobian we need to find a way to set a different password for sudo, or set a user account password different from the screen unlock PIN-code. On Manjaro it might be easier to just disable all sudo privileges, but I haven’t had any luck with neither just yet.

RE: Safety issues with numeric login and sudo passord - zetabeta - 07-04-2021

(07-03-2021, 11:14 PM)Line Wrote:
(07-03-2021, 04:00 PM)KC9UDX Wrote: Can't you remove the user from the sudoers file? Or uninstall sudo?
Not on Mobian, cause it will permanently lock you out of the root account. On Mobian we need to find a way to set a different password for sudo, or set a user account password different from the screen unlock PIN-code. On Manjaro it might be easier to just disable all sudo privileges, but I haven’t had any luck with neither just yet.

normally debian and fedora uses different password for user and root, meaning both are activated. not in mobian though.

short background info: "sudo" gives temporary root user priviledges with user's password. if root user is activate then "su" gives root user access but you need to give root user's password and not ordinary user's password.

solution might be that you activate root account and you use "su -l" command. how to activate root account ...

Code:
$ sudo su -l

(give user password)

# passwd

(give new password, this will activate root account)

after this you could disable user account in /etc/sudoers (or similar) file. this method may still have serious caveats.

edit: you don't need to edit sudoers file, "deluser mobian sudo" is enough, be careful about that command because typo may mean serious side effects.

RE: Safety issues with numeric login and sudo passord - zetabeta - 07-05-2021

i decide to create wishlist item and it was sort of saying reported already.

https://gitlab.com/mobian1/issues/-/issues/334
https://source.puri.sm/Librem5/phosh/-/merge_requests/801

basically, add keyboard button.