pimp-my-rig reloaded

HOW-TO: Reset Root Password (addendum)

It can happen to me.. to you.. or to one of your clients, where a machine will have to be worked on but the root password is somehow lost or forgotten. Pretty basic you might think, but you might be faced with this hurdle sooner than you think.

The above statements might already sound familiar to you. It is mentioned in the post tackling how to reset a forgotten root password. Still in the x86 realm, let us discuss how to reset the root password using a rescue CD (or DVD, if one exists).

As always, the best advice to give is: Do not panic. If the host has an optical drive, a good option is to use a rescue CD to reset the root password.

Reboot the host and set the BIOS to boot from the CD-ROM drive, save the settings and exit the BIOS. Make sure that the rescue disc in the drive as well.

Once the host is up, mount the root partition of the host. And edit the shadow file and leave root with a blank password.

# mount /dev/sda1 /mnt
# vi /mnt/etc/shadow

.. before:
root:$2a$10$Gw/SYEjxGEXnZESeW07sb.XdWB9VxDAnXC3SRUtpSwitb6EzkDwS.:14145::::::

.. after:
root::14145::::::

On some systems this works. And when you login as root, you will not be prompted for a password at all. So the best thing to do is set a root password as soon as the system reboots.

Another recommendation after mounting the root partition is to chroot to the mount point.

# mount /dev/sda1 /mnt
# chroot /mnt /bin/bash
# passwd
Changing password for root
New password:
Reenter New Password:
#

However, this does not work at all times. One of the errors encountered is like the message below:

# passwd
Changing password for root
New password:
Reenter New Password:
Cannot open /dev/urandom for reading: No such file or directory
Cannot create salt for blowfish crypt
Error: Password NOT changed.
passwd: Authentication token manipulation error

The above happens because the special file /dev/urandom (which is created at boot-up) does not exist in the chrooted environment. You may create the file using other binaries large enough to generate entropy for the crypt algorithms. And even a plain text file will do.

(execute this in the chrooted environment still)
# cp /etc/default/passwd /dev/urandom
# passwd
Changing password for root
New password:
Reenter New Password:
Password changed.

There you go. Two more ways to reset a forgotten root password. But with a rescue CD this time. If your distribution does not have a rescue CD, the first CD (or CD#1, the bootable CD) can be used instead. Boot to single-user or select rescue mode if available.

HOW-TO: Reset a Forgotten Root Password

dillagrhow-to, linux, security, solaris

It can happen to me.. to you.. or to one of your clients, where a machine will have to be worked on but the root password is somehow lost or forgotten. Pretty basic you might think, but you might be faced with this hurdle sooner than you think.

With the number of hosts to administer, the burgeoning problem of recalling passwords escalate. Discipline would entail putting passwords in a vault. But then again, human error factors in and this quick step was skipped. There are a number of different reasons to point to, but when faced with this scenario, what can one do?

Traditional wisdom will beckon you to reboot and go to the single-user mode. Let us discuss first how this is done.

In LILO, pass the parameter "single":

LILO: linux single

In GRUB, at the boot screen select the kernel and press "e" (to edit the entry) and select the second line containing the word kernel. Press "e" again to edit the line and append "single" to that line:

grub edit> kernel /boot/vmlinuz-x.x.x-x root=/dev/sda1 ro single

On many flavors of linux, the system will happily present you with a root shell to do your thing and change the root password. However, not all will happily oblige and still ask for the root password:

Give the root password for maintenance
(or type Control-D for normal startup):

When this happens, it is again back to square one. However, all is not lost. You may try to use a live CD (the steps to which we will discuss in another post). Assuming the host does not have an optical drive, try the procedure below.

A word of WARNING before proceeding. If you want to experiment on this, try it out on a development box or a virtual machine first. As a rule of thumb, when working on a production machine, have another pair of eyes on board.

Try passing the parameter "init=/bin/bash" instead of "single". What then does this do? It instructs the linux kernel to execute the shell bash (/bin/bash) instead of executing init. It does not give you much to work on as there services/daemons executed during startup were not executed, but it does give you a shell where the password can be reset.

LILO: linux init=/bin/bash

.. likewise, in grub:
grub edit> kernel /boot/vmlinuz-x.x.x-x root=/dev/sda1 ro init=/bin/bash

So if you have noticed, you get a root shell right out of boot-up. Unfortunately that is not yet enough to change the root password, as the filesystem is mounted read-only. Remedy this situation first.

# mount -o remount,rw /

Executing the above command will remount the root partition (/) read-write. We can now proceed in changing the root password. Now is the time to for proper discipline to kick in and note the new password in the vault.

Once done with the above, DO NOT REBOOT just yet. There are no safeguards in place to properly take the system down and the root partition was mounted read-write. Return it to its original state when it booted up -- a read only root partition.

# mount -o remount,ro /

Now the system can be rebooted or the reset button pressed.

REVIEW: Seagate ST3640323AS 640GB SATA II Hard Drive

dillagrreview

Hard drives have become cheaper by the day. Bigger sizes, bigger caches, faster spindles, you name it.. On the perspective of cost, price per gigabyte has gone down and is continuously doing so. It would not be a surprise if another release of a bigger, better hard drive happens in the not so distant future.

We could not just escape the fact that the computer is only as fast as the slowest component. And on the desktop, the hard drive is undoubtedly the performance bottleneck. A RAID set-up might probably remedy the situation but not all desktops implement RAID systems.

Over time, I have had the opportunity to see the improvements of desktop grade drives, each generation gaining improvements over the previous one. Native Command Queuing (or NCQ), the SATA interface, faster spindles, bigger platter densities and parallel recording -- a few examples of the technological features that evolved. And experience tells me the areal density of the drive contributes a lot in its performance. Not only that, the cache also is a major influence.

I have the Seagate ST3640323AS Barracuda 640GB hard disk drive with me to test out. This drive has the second generation SATA interface and has a whopping 32MB of cache. The most outstanding feature of this drive is the 320GB platters used. Only this and the Western Digital Caviar SE16 WD6400AAKS (16MB cache) have this feature.

Please allow me to share my observations on the succession of Seagate Barracuda two-platter hard drives over the past few years. Let me start with the Barracuda ST3320620AS 320GB, with two 160GB platters drive.

.. the Barracuda ST3500320AS 500GB, with two 250GB platters.

.. and the Barracuda ST3640323AS 640GB, with two 320GB platters.

As seen from the measured averages of the drives, areal density and cache size contribute a lot to the performance of the drives. Each generation carries improvements over the previous.

As both drives feature 32MB caches, the only major difference between the 500GB ST3500320AS and the 640GB ST3640323AS Barracudas are the platter sizes -- 250GB and 320GB respectively. From this we can see the tremendous impact of increasing areal density of the platter, translating to about 8MB/s increase in transfer rate. In my standard that is a huge boost!

Owning the new generation Barracuda ST3640323AS does have its advantages. Retailing at around $90, does not disappoint either. It is affordable, fast and widely available.

At 640GB, it has more space for data and archives. Also, the ST3640323AS is backed with a 5yr warranty to add to its rich feature list.

Due to its high access time, it is not very suitable for use as boot disk. Although this impediment can be overcome by its fast transfer speed. Further tweaking, such as fine tuning cluster size and disabling of last access times, can improve performance.

The ST3640323AS will definitely pimp your rig!

Acknowledgments to my good friend Xavier Zulueta for the review of the drives.

FAQ: Workaround to Error Deleting File or Folder

dillagrfaq, windows

In the example above, I was trying to remove a folder named "Folder". After several retries, it would seem removing the folder is a hopeless case. Searching the internet, the recommendation(s) involve rebooting the machine to free up the locked file handles.

If this is on a production machine, rebooting it would be out of the question. Is there another workaround to such a scenario that does not require a bounce? The answer to this is "yes".

Download (visit website) a utility called "Unlocker". Install the software once download is complete.

Launch Windows Explorer and return to the path containing "Folder". Right click on the folder and choose Unlocker.

It will launch the software and show the applications that are currently accessing it with locks in place so as to prevent deletion. The application window is similar to the one below. As seen, applications msiexec.exe and explorer.exe has locked the path U:\Folder.

Toward the bottom right, change the drop down from "No action" to "Delete" (or "Move" or "Copy", as appropriate). Then highlight the process to unlock and click on the button "Unlock". Similarly, the "Unlock All" button can unlock all of the file handles each process listed has on Folder.

Upon success, Folder will have been deleted and moved to the Recycle Bin. Another window will have opened to notify the success of the operation.

There you go, Folder was deleted without having to bounce the host. Unlocker is a very useful tool to delete files or folders with locked file handles.

FAQ: More Secure Password-less SSH -- Windows to Linux

dillagraix, faq, linux, solaris, SSH, windows

"There’s No Such Thing As A Silly Question" -- does the cliche sound familiar? In this part of pimp-my-rig reloaded, technical questions are answered. Mail them to me and I will post the answers here. If you have a better answer, by all means share it with us.

The password-less SSH procedure previously posted outlined the establishment of trusted logins from a Windows machine to a _nix machine. The set-up works and is very convinient to implement. However, it comes at the expense of security.

FAQ: Many would agree that an unprotected private key -- a private key with empty passphrase -- is less secure and thus exposes the account to a security threat. Not that this set-up is totally unsecure but once the private key is compromised, the account is completely vulnerable as access to it is open. Can we make the set-up a more secure then?

Protecting the private key with a passphrase is a very logical thing to do. Not only that, it is highly recommended especially on platforms or systems where security is a major concern. The private key then becomes useless without the passphrase to unlock it.

In order to accomplish this stunt, a similar set of software for the previous Windows to _nix password-less setup is required: putty.exe, puttygen.exe and pscp.exe, with the addition of pageant.exe. The tools mentioned can be downloaded off the author's website. Download the binaries enumerated.

Start off by launching puttygen.exe. This tool will generate the public and private key pairs needed for the password-less setup. This was done previously but this time, protect the private key with a passphrase. Press "Generate" and put a passphrase in the fields where it is required. Then, save the private and public keys.

Open putty.exe. Scroll down to Connection --> Data.. fill in the field "Auto-login username". For this example, the username used is "user" (fill this field with your username).

Scroll up to Session, fill up the necessary fields and save.

Open a command tool and using pscp.exe, copy the public key over to the home directory of user. The public key has to be translated to OpenSSH format, then has to be added to authorized_keys file.

user@host:~ > ssh-keygen -i -f PUBLIC_KEY >> $HOME/.ssh/authorized_keys

Now launch pageant.exe (or PuTTY authentication agent). No window will be opened but instead another icon will appear in the system tray. Right-click on this icon and select "Add Key" (see below).

Browse over to the path where the private key was saved. Key in the passphrase when prompted to do so.

(Skipping the above step will prompt the user for the password. When this happens, use the the password to the unix account not the passphrase to the private key.)

Right-click, again, on the pageant icon in the system tray and choose the session saved earlier in this guide. An ssh login will be initiated with the host without asking for a password.

There you go, a more secure password-less ssh from Windows to your _nix workstation. Access to the saved private key does not compromise security as it requires the passphrase to unlock the key. However, this introduces the dependence to pageant, where the passphrase is asked only once but password-less still.

Pageant will be void of keys each time it is launched. And, consequently, each time the private key is "added" to pageant, the passphrase will be asked to unlock the key.

Compare the password-less implementations and select which is easier, applicable and better suited for your use. Each has its own set of advantages and disadvantages.