Are Mini-Distributions without password secure?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
i have a very stupid question about the passwords in mini-
distributions. Please don't laugh about me, i'm like Forest Gump ...
Ok, I wanna know, if mini-distributions (like Tinycore Linux,
MicroLinux) are secure? I mean, often they have no password-login at
start, instead you type in:
    <no password>

and you have full access to the system. But how it looks from the
other side, the internet? Can a hacker see from outside, that i'm
logged in as root without password, and in worst case, can he do the
same? IMHO on the machine must run a telnet server, without password;
but i'm not sure.

Thank you in advance.

Re: Are Mini-Distributions without password secure?

Quoted text here. Click to load it

Nobody can tell whether you supplied a password or not.  But, if the
minidistro is running a telnetd or sshd, an attacker could simply try to
login as root with no password.  So yes, if it's visible on the internet
then it's vulnerable.

Of course, if it's a CD-based distro, the attacker can't permanently
modify anything.  But he can still use your machine for bouncing a
remote attack, or as an SMTP relay, or other nefarious purposes, so you
wouldn't want to leave it in this state.

You should be able to modify root's password once you log in using
passwd.  It won't survive a reboot in a CD-based distro, but at least it
will be less vulnerable.


(try just my userid to email me)
see X- headers for PGP signature information

Re: Are Mini-Distributions without password secure?


Quoted text here. Click to load it

a) No sensible minidistro maintainer would enable vulnerable services by
default. They would get pilloried in the blogs.
b) It is possible to enable something like sshd and disallow root logins, or
disallow logins with password altogether.

So there are lots of ways to use a minidistro that allows passwordless local
access on the Internet while minimizing your exposure to attacks.

Re: Are Mini-Distributions without password secure?

On Nov 8, 6:19=A0pm, Lawrence D'Oliveiro <l...@geek-
central.gen.new_zealand> wrote:
Quoted text here. Click to load it

Laurence? People get pilloried in the blogs all the time, and there
are plenty of incompetent people who whip up mini distributions for
particular uses, such as for testing utilities. This is not a reliable

Quoted text here. Click to load it

Quite, quite true.

Quoted text here. Click to load it

For example, thee are FTP daemons that allow restricted 'anonymous'
access, but control it reasonably tightly. Unfortunately, there are
also plenty of idiots who say "d00dz, you have to trust the machine
you're working on!!!!" and then rely on locally stored passwords
stored in clear text. (Subversion storing HTTPS passwords, and
Subversions's 'svnserve' protocol storing the list of passwords in
cleartext come to mind.)

Site Timeline