Safety issues with numeric login and sudo passord
#1
I can’t be the only n00b PinePhone-owner who’s not too excited about how my ordinary user can sudo with the PinePhone’s lockscreen PIN-code? This is the case in both Manjaro and Mobian. If one should be the victim of a brute force password attack, even a 16-20 digit numerical password is cracked before you can blink, and the attacker can log in as root with it. Numerical password is also a lot easier to see (few, big buttons) and memorize in a «over the shoulder password attack» than be an alphanumerical one with upprcase, lowercase and special characters.

I have actual enemies skilled in «pentesting» (cracking) who have subjected every aspect of my digital life to targeted attacks, often successfully, so my need for device security probably exceeds the average internet surfer, but even the typical average user with no personal enemies could get hurt by crackers who have the knowledge of this numerical password issue on Mobian and Manjaro. 

I’ve tried several guides found online, for setting privileges and demanding root passwd for sudo, but there aren’t as many n00bs posting these stupid questions about Mobian or ManjaroARM as there are people answering these questions about desktop Ubuntu. Please help! How to fix this on different distros respectively? Removing sudo privileges will permanently lock you out of root on Mobian because the only way to log in as root is sudo -i with the lockscreen PIN code, while on ManjaroARM that might be a solution. Please help!
  Reply
#2
Don't use  phosh! Try Openbox or LXDE.
  • ROCKPro64 v2.1 2GB, 16Gb eMMC for rootfs, SX8200Pro 512GB NVMe for /home, HDMI video & sound, Bluetooth keyboard & mouse. Arch (6.2 kernel, Openbox desktop) for general purpose daily PC.
  • PinePhone Pro Explorer Edition, daily driver, rk2aw & U-boot on SPI, Arch/SXMO & Arch/phosh on eMMC
  • PinePhone BraveHeart now v1.2b 3/32Gb, Tow-boot with Arch/SXMO on eMMC
  Reply
#3
Can't you remove the user from the sudoers file? Or uninstall sudo?
  Reply
#4
(07-03-2021, 04:00 PM)KC9UDX Wrote: Can't you remove the user from the sudoers file?  Or uninstall sudo?
Not on Mobian, cause it will permanently lock you out of the root account. On Mobian we need to find a way to set a different password for sudo, or set a user account password different from the screen unlock PIN-code. On Manjaro it might be easier to just disable all sudo privileges, but I haven’t had any luck with neither just yet.
  Reply
#5
(07-03-2021, 11:14 PM)Line Wrote:
(07-03-2021, 04:00 PM)KC9UDX Wrote: Can't you remove the user from the sudoers file?  Or uninstall sudo?
Not on Mobian, cause it will permanently lock you out of the root account. On Mobian we need to find a way to set a different password for sudo, or set a user account password different from the screen unlock PIN-code. On Manjaro it might be easier to just disable all sudo privileges, but I haven’t had any luck with neither just yet.
normally debian and fedora uses different password for user and root, meaning both are activated. not in mobian though.

short background info: "sudo" gives temporary root user priviledges with user's password. if root user is activate then "su" gives root user access but you need to give root user's password and not ordinary user's password.

solution might be that you activate root account and you use "su -l" command. how to activate root account ...
Code:
$ sudo su -l
(give user password)
# passwd
(give new password, this will activate root account)

after this you could disable user account in /etc/sudoers (or similar) file. this method may still have serious caveats.

edit: you don't need to edit sudoers file, "deluser mobian sudo" is enough, be careful about that command because typo may mean serious side effects.
  Reply
#6
i decide to create wishlist item and it was sort of saying reported already.

https://gitlab.com/mobian1/issues/-/issues/334
https://source.puri.sm/Librem5/phosh/-/m...quests/801

basically, add keyboard button.
  Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Multiple issues with the Pinephone MTXP 12 1,937 12-28-2023, 07:55 AM
Last Post: MTXP
  sudo nano file saving pinephone beta edition CharlesGnarley 4 1,479 12-22-2023, 03:44 PM
Last Post: Kevin Kofler
  New Pinephone is dead. eMMC, boot, hardware issues. Shane 4 1,344 05-10-2023, 03:31 AM
Last Post: fxc
  New Phone Opening Issues LuluFrance 5 2,025 03-15-2023, 05:33 AM
Last Post: anonymous
  PinePhone sound issues Chief 4 2,685 07-05-2022, 07:58 PM
Last Post: Chief
  postmarketOS fixed battery issues Deadladyofclowntown 1 1,481 06-23-2022, 02:44 PM
Last Post: zer0sig
  Pinephone 64 Issues of a new user US Notheast as of April 2022 scrwbigtek 9 5,269 05-03-2022, 04:18 PM
Last Post: scrwbigtek
  Pine Phone Pro issues gmastap 4 2,640 03-21-2022, 12:46 PM
Last Post: bcnaz
  u-boot multiboot issues m4xx3d0ut 0 1,087 02-24-2022, 05:11 PM
Last Post: m4xx3d0ut
  Pin login fails when unplugged slomobile 2 2,130 12-23-2021, 10:53 PM
Last Post: slomobile

Forum Jump:


Users browsing this thread: 1 Guest(s)