From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=MAILING_LIST_MULTI autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 22349 invoked from network); 18 Jan 2023 20:52:48 -0000 Received: from minnie.tuhs.org (50.116.15.146) by inbox.vuxu.org with ESMTPUTF8; 18 Jan 2023 20:52:48 -0000 Received: from minnie.tuhs.org (localhost [IPv6:::1]) by minnie.tuhs.org (Postfix) with ESMTP id 743C942425; Thu, 19 Jan 2023 06:52:11 +1000 (AEST) Received: from anduin.eldar.org (anduin.eldar.org [24.106.248.90]) by minnie.tuhs.org (Postfix) with ESMTPS id A661842424 for ; Thu, 19 Jan 2023 06:52:04 +1000 (AEST) Received: from anduin.eldar.org (IDENT:brad@localhost [127.0.0.1]) by anduin.eldar.org (8.16.1/8.13.8) with ESMTPS id 30IKolXC021699 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Wed, 18 Jan 2023 15:50:47 -0500 (EST) Received: (from brad@localhost) by anduin.eldar.org (8.16.1/8.13.8/Submit) id 30IKok6Y004903; Wed, 18 Jan 2023 15:50:46 -0500 (EST) From: Brad Spencer To: tuhs@tuhs.org In-Reply-To: (message from Arno Griffioen via TUHS on Wed, 18 Jan 2023 21:34:26 +0100) Date: Wed, 18 Jan 2023 15:50:46 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.4 (anduin.eldar.org [0.0.0.0]); Wed, 18 Jan 2023 15:50:47 -0500 (EST) Message-ID-Hash: VMV6SLRLQVPP6MZUA6GPW5JSXEM7IQU6 X-Message-ID-Hash: VMV6SLRLQVPP6MZUA6GPW5JSXEM7IQU6 X-MailFrom: brad@anduin.eldar.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tuhs.tuhs.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.6b1 Precedence: list Subject: [TUHS] Re: Maintenance mode on AIX List-Id: The Unix Heritage Society mailing list Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Arno Griffioen via TUHS writes: > On Wed, Jan 18, 2023 at 08:38:40AM -0800, Larry McVoy wrote: >> Someone once told me that if they had physical access to a Unix box, they >> would get root. That has been true forever and it's even more true today, >> pull the root disk, mount it on Linux, drop your ssh keys in there or add >> a no password root or setuid a shell, whatever, if you can put your hands >> on it, you can get in. > > Until a few years ago, I would definitely agree. Done that regularly > in the past. (and worked on lots of network gear too...) > > However.. > > Nowadays with a little effort you can make a bootable Linux machine that > uses either a passphrase or some external key/dongle/fingerprint/etc. > to unlock an encrypted root fs and additional filesystems. > > If you don't have those credentials, then it's going to be pretty tricky to > access as you simply can't even access any of the encrypted filesystems to > start with. > > Yes, you could probably get the initrd booted with a root shell and > then wipe the machine/disk to then do what you want, but the original > install is getting pretty hard to jump into with boot tricks these days. > > Bye, Arno. Yes++ ... I did something simular with NetBSD a few years ago. I booted a removable drive that asked for the passphrase to decrypt the real root filesystem.. the drive was removed and stored separately from the laptop when at rest. Today, I don't even need a removable drive any more, a ramdisk is attached to the kernel and unpacks itself upon boot and that asks for the passphrase. The root filesystem itself is more or less completely encrypted. Not quite full end to end, but very close. All you could really do is destroy the system, which may be good enough for some, but getting the information off of the encrypted filesystem would be hard. -- Brad Spencer - brad@anduin.eldar.org - KC8VKS - http://anduin.eldar.org