To whom it may concern,

I would like to know how to set up my root passwd for a macbook pro laptop? I have already made my account and a passwd for that account. A root passwd is not there and therefore means that ssh is not running. How do I get ssh to start running?

A root passwd is not there and therefore means that ssh is not running.

what has root password got to do with ssh running?
In the sharing preference pane, under services, enable Remote login (OS 10.0.1 and up i think) this will allow remote login via ssh.

BTW this doesnt seem to have anything to do with linux.

It may sound strange but in some Linux distros, especially one of the most popular families, a root account is not setup during an installation. In such a case an ordinary user is expected to survive by prefixing the root-privileged commands with "sudo".

It is possible to change the existing root password by command
sudo passwd
and enter the root password twice of your own choice.

You can see if this is successful or not by typing
su
if the Linux accepts the password you could be in root immediately.

I am not sure if this is an once-only deliberate arrangement or just a bug. It just sounds strange an ordinary user can change the password.

I am not sure if this is an once-only deliberate arrangement or just a bug. It just sounds strange an ordinary user can change the password.

Thats not entirely true. That user must be in the admin group for that to be that case and sudo <whatever> requires (at first) the entry of the user password.

So changing the root password with sudo passwd is permenant and "re-activates" the root account, which was diliberatly disabled by (for example) the Ubuntu developers for security and stability reasons. It is important to note that when doing admin tasks with sudo, sudo must be prefixed to every command that requires root rights.

webwolf,

Do you not consider it a bit funny that a distro

(1) Has no root password set up in the installation so the user has no root access.

(2) Has no root login with Desktop (I suppose being Debian it has to follow its tradition, except this can be altered in gdm.conf)

(3) Actively encourages a user to use sudo for any system-related command.

Could allow a user to change the password for the root user account?

I don't see a future in Ubuntu if root access is permanently denied from the user who installs it and so the above arrangement is necessary but a bit weird.

AFAIK Ubuntu 6.06 allows you to sudo passwd and afterwards use su or login as root. I have yet to try it with 7.04.

Ubuntu handles things requiring superuser with sudo, gksudo and the likes, but it asks for ur user password, that user has to be in some kind of admin or wheel group i think, instead. Kind of like how OSX does things.

It seems like Ubuntu is deliberately discouraging users from logging as root.

PS yes.. i do find the sudo prefix extremely irritating...

The thing is one learns a set of basic skill in Linux and then he/she should be able to survive in any other distro.

The sudo can be a brick wall if you try it on another distro which can respond like

"user not in the sudo files, this activity will be reported!".

I even once got myself into argument in a forum because the users there thought typing "su" to get root user privilege is illegal in Ubuntu.

Every distro I come across can offer (or can be made to offer) root privileges if "su" is type at a terminal and then followed by a valid root password. That includes every member of the Ubuntu family (or Debian itself) , regardless it uses Gnome, KDE or Xfce.

I use sudo in Ubuntu family but hoop into su if I lose patience.

I also edited gdm.conf so that I can log in as root to the desktop whenever I wish too but in normal usage I find a lot more secure to work as an ordinary user.

So I use sudo to make a root account on my macbook pro laptop? Is there another way to make a root account or passwd on the macbook pro laptop other than sudo?

Regarding sudo:

Well, when I'm working on my brother's laptop (running Ubuntu 6.06, soon to be upgraded to 7.04), I just use "sudo bash" to get to a root shell (what I would use "su" for on my normal system, except I have him type in his password, instead of typing in the root password). Then I do whatever large group of tasks require root privileges, then I exit the shell.

You don't need to prefix everything with sudo, although it is safer if you're interspersing admin tasks with non-admin tasks. But I don't do that. ;)

Polanski, regarding your question: I'm not sure. I suspect that if you use sudo on OSX to run stuff as root, then you'd be able to "sudo passwd root" and assign a password. I'm not sure whether that would enable logging in as root directly, though it may be worth a try.

There is a script file that must be edited to allow log-in as root, at least in Ubutntu 6.10 for Intel using KDE. I am not sure about gnome.

/etc/kde/kdm/kdmrc file must be edited. This can require some dinking around with su or sudo, to access an editor (vi or even kwrite) to edit a file that user cannot access.

Find: AllowRootLogin=false in that file.

if it is there in your system, and change that to =true


If it isn't there, you would need to add it.

Be aware that Linux folks have a cult view of logging in as root. It is viewed as noticeably worst than serial rape or murder.

Logging in as root does reduce security, especially online, so it is no better than in Win. But many of the other reasons stated are simply not true, and those who tell you how bad it is, usually admit they have never done it. Beam me, up Scotty...

I logged in as root for two years when I was a newbie, and had absolutely no problems. It was hard enough to learn Linux in those days, without spending many hours to accomplish a minor task w/o logging in as root.

The minute I install a distro which does not let me do it, I fix it. The day I get a distro that can't be fixed, is the day I dump that distro. The day no distro allows me to do it, is the day I stop using Linux.

In January, I installed Ubuntu 6.10 on a new machine, and immediately fixed it so I can log in as root. I have not yet done it, nearly 6 months later. Linux is supposed to be about choice, and I choose to have a machine which lets me do it if I wish -- even if I don't need it once a year.

However, logging in as root is something mostly needed by newbies, and as you learn Linux, you will eventually not need to do it.

Also, if you work as an admin, some employers will fire you for doing it.

Note, also, that I am referring only to logging in as root on a computer you own. I am convinced, as wrong as many of the beliefs are about the hazards of root, if the computer belongs to someone else you have a fiduciary responsibility to avoid it, even if the extra security is minimal.

One edits gdm.conf to use root in a Gnome desktop.

It is true that newbies need root access to GUI to survive but I do say

The maturity of a Linux user can be seen by how much he/she needs to be in root

Much of the security in Linux is attached to logging in as an ordinary user the root files system is secure and safe from the outside attack because the user doesn't own it and can't see it, let alone to spread the infection into it.

If I enable the ssh to run will it affect the security of the operating system? Maybe if I go onto the internet can someone log in and spread a virus on my computer?

webwolf,

Do you not consider it a bit funny that a distro

(1) Has no root password set up in the installation so the user has no root access.

(2) Has no root login with Desktop (I suppose being Debian it has to follow its tradition, except this can be altered in gdm.conf)

(3) Actively encourages a user to use sudo for any system-related command.

Could allow a user to change the password for the root user account?

I don't see a future in Ubuntu if root access is permanently denied from the user who installs it and so the above arrangement is necessary but a bit weird.

In fact I did find that wierd, but as I said

1.) The User is not denied root access. The user must only belone to the Admin group and can then use sudo. For a longer root session the user CAN enter "sudo su" to become root.

2.) Most newbies will not be using sudo from the commandline, but will instead be using gksu (without even knowing it) to do such things as installing/removing software, adding/removing users (that, nomally, will NOT belong the Admin group)

3.) Logging in as root into any GUI Desktop environment is discouraged by MOST distrobutions

4.) "normal" users can NOT change the root password, the must be in the Admin group to use sudo. Therefore admin rights are given to admins, not normal users.

I also must admit however I did find the arangement wierd at first and it took getting used to.

As a side not, since the topic had to do with ssh....

Only an admin with a few too many holes in his head would allow ssh connections by root. It is much better and safer to require ssh logins by unprivledged users who can then gain root privlegdes by useing su or su -

Only an admin with a few too many holes in his head would allow ssh connections by root. It is much better and safer to require ssh logins by unprivledged users who can then gain root privlegdes by useing su or su - <Just putting on my flame-retardant suit>

What about using RSA keys to secure SSH? I use it on my machines and then disable password logins so that I can just do ssh whatever_machine and it'll let me straight in. Surely, I COULD enable root logins and set it up so I could log in straight as root and I'd be more secure than if I'd used passwords.

I suppose the one account that's "guaranteed" on a *nix system is the root account and it's the one that's frequently attacked (especially with the SSH port open).

I agree that logging into a GUI as root is a silly idea for many reasons, but, I have to admit to logging into the command prompt directly as root. A lot the work I do on my machines is administration and testing that simply cannot be done as a normal user. I do not allow root login on SSH, even for non-Internet connected machines, but I HATE the sudo command. It's so irritating having to type it every time you to do more than just play around in your home directory.

The other annoyance, though, is forgetting you're root and doing something and realising the file or directory's permission are wrong and you have to go and change them... but that's the price of power, I suppose.

BTW, I've never stuffed a machine up yet by playing as root in the command prompt - I just appreciate the power and danger it poses. This is why I won't log into KDE or Gnome (or whatever) as root. You just don't know what the system is doing behind your back.

James

My usual way to do an ssh login is to login as an unprivledged user, then su -
But then my server is running debian NOT Ubuntu. Ubuntu is running on my main box where my wife mainly works, and when I have admin tasks to do an that box I run sudo su ( to avoid typing sudo for every admin command). My notebook has 4 different distros installed, and I'm building an extra LFS on that so we won't even get into that.

My main point is root's power can have a high price, therefore I avoid it where I can, and reduce an attackers chance of gaining it at every possiblity

this thread looks seriously off wat the thread starter is asking..

so.. back on topic...
If I enable the ssh to run will it affect the security of the operating system? Maybe if I go onto the internet can someone log in and spread a virus on my computer?

ur system is as secure as ur passwords. i would suggest disabling root login via ssh as well. you could even bind ssh on non-standard ports so that only you know which port to connect to

Any time you have an open port on a server you are lessening security by some amount. That being said, ssh is generally a low risk service to run.
As has been stated, you can configure ssh to use secure key authentication instead of passwords. There are some things to be aware of if you set the server up this way. First RSA has been cracked and is considered insecure. Use DSA keys instead. Second, unless the computer you are connecting from is secure, place a passphrase on your private key on that computer. That will prevent the keys on that computer from making any connections at all unless the proper passphrase is given.

Originally posted by Bryon Speede:
First RSA has been cracked and is considered insecure. Use DSA keys instead.
Would you mind confirming these details? I think RSA is quite secure and DSA is very insecure.

James

First, let me echo Satanic Atheist -- I was not aware that RSA was broken. Certain implementations of RSA, and RSA when using certain parameters, yes. But not RSA itself, when implemented properly. (I also don't think that DSA is any more or less secure, but I don't know that for sure.)

But second:

Second, unless the computer you are connecting from is secure, place a passphrase on your private key on that computer. That will prevent the keys on that computer from making any connections at all unless the proper passphrase is given. This is true; a passphrase will be required before the private key can be used.

However, if the computer you're connecting from is insecure, then how do you know that the admin (who isn't you, otherwise the machine would be secure ;)) didn't install a keylogger, and isn't capturing your passphrase?

See, for instance, this: http://linuxmafia.com/faq/Security/breakin-without-remote-vulnerability.html

:)

(That's not to say that passphrases are useless. Just that they aren't always enough: you also have to avoid typing the passphrase from a compromised host.)

Thanks, bwkaz, for confirming my findings. It was only this morning that I was looking up PuTTYgen so that I can remote access my server from my phone and I was warned that DSA is inherently insecure so I was advised to use RSA instead.

I use RSA cryptography keys on my server (which is the end-point for my NAT'ed router for the SSH port - 22) and ONLY myself can log in and ONLY from my laptop. My laptop is secured with a fully encrypted hard drive (AES256 v3 ciphers).

I don't think RSA is all that strong, cryptographically, but it doesn't have any major weaknesses. The amount of time it would take to break (not to mention that I use DenyHosts as well) makes it generally out of the question to break a small home-user based server where there's not a lot to gain.

James

Is DSA secure:
http://www.rsa.com/rsalabs/node.asp?id=2240
http://en.wikipedia.org/wiki/Digital_Signature_Algorithm
DSA is, at present, considered to be secure with 1024-bit keys.
OTOH notice:
Some researchers warned about the existence of "trapdoor" primes in DSA, which could enable a key to be easily broken. These trapdoor primes are relatively rare and easily avoided if proper key-generation procedures are followed.

Is RSA secure: (from wikipedia)
http://en.wikipedia.org/wiki/RSA
RSA is widely used in electronic commerce protocols, and is believed to be secure given sufficiently long keys and the use of up-to-date implementations.
OTOH, pay attention to the section titled: "Padding Schemes"

Apparently I was using outdated information. Old versions of RSA implementations had security problems as did DSA implementations. Once again, the error in both schemes is one of implementation, not of design.

And as far as the untrusted machines, the angle I was going with specifically was if your laptop were stolen or similar circumstances. If your admin is out to get you you are toast anyway. :)

Lots of people don't seem to like to do things with sudo, and prefer to su to root to get things done. I can barely imagine why someone needs to login to a GUI session (Gnome or KDE for example) to do something. Personally I don't find using sudo a problem at all, and ubuntu have it implemented so what that I rarely encounter problems. I think I've usedsudo passwd a few times tho, just to be able to su to root.
If you really want to muck around with that sort of stuff, look at visudo, and there's lots of stuff there for you to set up how you want to priveledge your user - which it should be said, brings us to a VERY important question.
Who's computer is it? If its yours, and yours to do with as you wish, then the assumption is that the dude installing ubuntu has the right to do stuff as admin. The admin then knows to enable a root password if need be. This user of course then decides what others can do with it and whatnot.
But yeah, otherwise don't log in as root through ssh, jeez.
Try this out for fun, those of you who haven't:
Install OpenBSD on a machine (or two) and look at the steps you'll go through to lock down a little server so that you can use ssh securely. It's actually not that hard!
Of course, always be very careful where you are ssh'ing from!!!!

Once again, the error in both schemes is one of implementation, not of design. OK, that's what I suspected. :)

And as far as the untrusted machines, the angle I was going with specifically was if your laptop were stolen or similar circumstances. Ah, OK. Yes, it will help if your laptop (or its disk, or your desktop's disk) is ever stolen. OTOH, if it's stolen by the NSA, you're probably hosed anyway. :p

If your admin is out to get you you are toast anyway. :) True. There are also a few other cases where the admin isn't specifically out to get you, where passphrases could still be stolen: untrusted public-use machines at e.g. a library, or an Internet cafe, for instance.

Or double-ssh, where you ssh to a semi-public machine (e.g. a department server at a university, which is shared by other students) and then ssh from there to a third machine. Depending on who admins the semi-public machine, and how competent they are, the ssh binary on that machine may have been compromised, and may be leaking users' credentials out to some attacker (including the decrypted private key or the typed-in password or passphrase, but not a private key forwarded by a key agent like ssh-agent or Pageant).

On that last point, though: Root on the semi-public machine can of course always get access to your ssh-agent-forwarded credentials (because the connection to the agent is done through a socket in /tmp). But hopefully the root account itself is secure. (OTOH, if the ssh binary has been replaced, then the root account is likely not secure...)

And yes, all of these possibilities are probably fairly remote. But it doesn't hurt to at least consider them for a bit. :)

to answer the op question

http://docs.info.apple.com/article.html?artnum=106290 that should help

none the less remember the consequences of running as root user apple disabled it for a reason

as someone said because your where on a mac it was not Linux related

there are mac forums where you may be able get help from expert mac users

http://forums.macrumors.com/

type mac forums in Google u get plenty there