There’s no longer any point to cracking the root password

When I first got serial port access to my Circle, I grabbed the /etc/shadow file and started running “John The Ripper” to attempt to crack the root password (it’s been running for 47 days).  The hope was that I could crack the password, making it easier for others to get into their Circle devices (without requiring a serial port).

Well, I just installed the latest firmware from Circle, and found that they have changed to using key-based ssh login instead of password.  In the process, they’ve removed the root password (so you can’t login as root anymore, unless you have their private ssh key).

The new /mnt/shares/usr/bin/startcircle script has the following line:

[ -f $DIR/scripts/authorized_keys ] && { diff $DIR/scripts/authorized_keys /etc/dropbear/authorized_keys > /dev/null || { cp -f $DIR/scripts/authorized_keys /etc/dropbear/authorized_keys; sed -i -e 's/root:[^:]*:/root:*:/g' /etc/shadow; } }

The above line copies an ssh ‘authorized_keys’ file from /mnt/shares/usr/bin/scripts to /etc/dropbear.  It also removes the password for the user ‘root’ in ‘/etc/shadow’.

The new ‘/etc/dropbear/authorized_keys’ has one entry for Circle’s key:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuIaD23ac41XZp5AcSSOunHXHYN38dF2YX+rmb0QT4zxKFnccl6BpzoxGb604rPc4eQ477glWyM4D/jTIyaKqmA7P1iVMym8v5nSXH6haSc/KrzV5EizmalXd4+eoK8ddSgpoci0P9oul3yiWtvccwN5WQ5H/DZhyYvdM73kKnYh3JUllx8JnGi1Qa0nhNGfrhIqaApTc/AyIAFR9I8wtp5KR98xRH5u/hEm1IMB5lo7yS6yJUcupIctnW/C2qUOD7WtWzZvJtgAmmhh+A1XLU42PruPtTfQ2EAHUmNJ+xVssUl3N2cIhvCt1sm5o8DymttOS4xot6Ni06UZ/LK/iKw== tzhang@gateway

It’s not possible to brute-force an ssh RSA key, and it’s no longer possible to login as ‘root’ with a password, so there’s no longer any point to continue the password cracking process.

No worries, though – we can still get in without a serial port or the root password.  I’ll post details on modifying a firmware update image to add a new user (with root privileges) soon.





Leave a Reply