Hello! I have recently installed parrot with live encrypted persistence and noticed some things that really did not sit well with me.
- sudo never asks for a password.
- user gets auto logged in once persistence decryption key is entered.
- trying to change the default user password gets reverted back to
toor
after a reboot.
Looked around and figured I would put all these in a single place so hopefully posting this here will help some chungerinos.
What version of Parrot are you running? (include version (e.g. 4.6), edition(e.g. Home//KDE/OVA, etc.), and architecture (currently we only support amd64)
This was done on amd64 4.6 KDE Security Parrot.
What method did you use to install Parrot? (Debian Standard / Debian GTK / parrot-experimental)
No install. Live USB persistence.
Configured to multiboot with other systems? (yes / no)
Other systems present but should not be an issue.
DISCLAIMER: I AM NOT RESPONSIBLE FOR ANY LOSS OF DATA BECAUSE OF THIS. BE CAREFUL WHAT YOU ARE DOING. Nitty Gritty time. Let’s do this:
- Tweak one: Changing the default user password and forcing it to persist between reboots.
- first change your password as usual, for the “user” account:
sudo passwd user
- next we check the new hash in
/etc/shadow
for the user account. We will need that for later. The hash you need is located on a line that looks something like this:
user:$6$PtWnsklR3S3LJjl5$kAVM92f99/.jgjKO/bWb1YZ24gFNpEoNJEM0fPpr2KgwhT8VIf3w58VGQxNFwZdkVcXinM0oI9yKiug1pZPlI0:42069:0:13337:7:::
In this example the password is FortifiedChungus
. The hash you need to copy is $6$v92uhfeyhB$kAVM92f99/.jgjKO/bWb1YZ24gFNpEoNJEM0fPpr2KgwhT8VIf3w58VGQxNFwZdkVcXinM0oI9yKiug1pZPlI0
. So ONLY what is between the colons. Your hash will differ according to what password you chose.
3. Go to: /lib/live/config
4. Edit 0031-user-password
as superuser. Make sure you copied the hash from /etc/shadow
.
5. Replace the hash you see in single-quotes with your new hash, save and close.
Congrats. If you’ve done everything correctly, your new password will now persist between reboots.
-
Tweak two: Force
sudo
to ask for a password. WARNING: BE CAREFUL WHAT YOU DO HERE. IF YOU FUCK THIS UP, YOU CAN LEAVE YOURSELF WITHOUT SUPERUSER PRIVILEDGES AND THEN YOU MUST RESCUE YOUR SYSTEM.
- Change directory to
/etc/sudoers.d
. - Look for a file called
live
in the current folder. Do not edit anything with your usual text editor. Do this instead:sudo visudo live
. - Replace the contents with this line, exactly:
user ALL=(ALL:ALL) ALL
- Save and exit.
Congratulations, if all is well, sudo will now ask for your password from now on. If something went wrong, I hope you did not lose superuser priviledges and good luck rescuing your system.
- Tweak three: Prevent being automatically logged into your system after booting. (only applies to graphical and not virtual consoles.)
- Change directory to
/etc/lightdm
. - Edit the file
lightdm.conf
as superuser. - Uncomment
greeter-show-manual-login=false
and set it totrue
. - Change
autologin-user=user
toautologin-user=
-
autologin-user-timeout=0
should be uncommented. -
autologin-in-background=false
should be uncommented. - Save and exit.
Congratulations. If all is well, you should now be asked for a password to log into your system every time after booting. Unfortunately this does NOT work for virtual console (tty1, tty2, etc), I have not been able to figure out a way to prevent those automatic logins.
That’s all I got for you. If anyone more skilled can please tell me if there are better ways to go about doing these or if doing all this is not advised, I would appreciate feedback.
If anyone knows how to disable automatic logins in tty1, tty2, etc, please reply to this thread and I will edit it in.