How to require bootup password for Puppy 5?

For discussions about security.
Message
Author
User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#21 Post by Pizzasgood »

You don't actually have to start over completely to encrypt an existing save file. I'll write you a guide for encrypting your save file tomorrow evening when I get done with work.

It isn't a very hard process. You basically just boot with pfix=ram, run some commands to create a new encrypted save file (without messing around with rebooting), mount both the new one and the old one, and then copy everything from the old one into the new encrypted one (just one command will copy it all). Then you delete the old one, reboot without saving, and Puppy will automatically use the new one.

I'll write up step by step directions tomorrow evening that you can mostly just copy and paste.



As for your question above, to change the root password you open a terminal (click on the desktop icon named "console" that looks like a computer monitor (or a DOS window in older versions of Puppy), OR you can go to Start->Utilities->URxvt (or something like that)) and type passwd, then press enter. It will ask you to type the password. Unlike most things, it won't give you any feedback as you type - not even *****s. Don't worry, it really is working. It's just trying to hide the length of your password from shoulder-surfers. Just type the password and press enter. Then you'll have to do it again. If you don't make any typos, it will change your password. Otherwise it will yell at you.

But that's just the root password, and does nothing to encrypt your data.
Last edited by Pizzasgood on Thu 03 Jun 2010, 03:35, edited 1 time in total.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#22 Post by Pizzasgood »

Boot Puppy using pfix=ram (if you don't know how, it's pretty simple: insert the Puppy CD and boot up. When the boot process pauses so that you can provide input, type 'puppy pfix=ram' (without quotes) and press enter.)

Next, mount the USB drive if it isn't already. You can do this by clicking the relevant icon along the bottom of the desktop. It will mount the partition and pop up a filemanager window, allowing you to verify that it was the right one. Keep that window open.

If you don't have enough free space on the USB drive for another file of the same size as your current unencrypted savefile, you will need to mount another partition (see above) and move the unencrypted savefile onto it. Moving the file is done by simply dragging and dropping it between windows. A menu will appear offering the option to copy, move, or link. Chose move.

Either way, you'll want to rename the file slightly so that Puppy doesn't try to boot it anymore (we won't delete it until after we verify that the encrypted version works, and we don't want Puppy confused meanwhile). Right-click the file and go to "File '<filename>' -> Rename". Name it something like "savefilebackup.2fs", but make sure you leave the file extension (the .2fs or .3fs) the same as what it is now.

Next, open a terminal window on the USB partition. The easy way is by opening a filemanager window there and pressing the backquote key (on US keyboards, it's on the same key as tilde, above Tab and below Esc) or by right-clicking within said window and going to the "Window -> Terminal Here" entry.

In that terminal, run the following to load the modules you'll need for encryption support:

Code: Select all

modprobe cryptoloop
modprobe aes_generic
modprobe cbc
Create a file to turn into the new encrypted save file. You will have to tell it how large to make it in megabytes. For this example, I used 128.

Code: Select all

dd if=/dev/zero of=lupusave_crypta.2fs bs=1M count=128
Run the following to find the name of a free loopback device. It will give you something like "/dev/loop1" or "/dev/loop2", etc. For this example, I will be using /dev/loop1. You should use whatever losetup-FULL tells you to use.

Code: Select all

losetup-FULL -f
Now we will bind the file to the loopback device you identified above, using encryption. Run the following command, substituting the correct loopback device. It will ask you for the password to use. Type it and press enter.

Code: Select all

losetup-FULL -e aes /dev/loop1 lupusave_crypta.2fs
Next we need to format the file so that it can be used as a filesystem image:

Code: Select all

mke2fs -q -m 0 /dev/loop1
Good, now we can mount the loopback device as though it were a normal filesystem. Do so with the following:

Code: Select all

mount -o loop /dev/loop1 /mnt/data
Now if you look in /mnt/data, you'll be looking inside the new encrypted lupusave_crypta.2fs file. Next, mount your old unencrypted file. The easy way to do that is to track it down in the file manager and click on it. A window will pop up inside it. You can open a new terminal in that window and spare yourself having to type out a long path by pressing the backquote key (on US keyboards, it's on the same key as tilde, above Tab and below Esc) or by right-clicking within the window and going to the "Window -> Terminal Here" entry. If you run the command 'pwd' you can verify that you're inside the file (it will be a funky path like /mnt/+initrd+mnt+dev_ro2+500+lupusave.2fs). Once you have verified that the current directory is inside the old save file, run the following command to copy everything out of it into the new encrypted one (might take a while to finish):

Code: Select all

cp -a * /mnt/data

Now we can start unmounting everything. Let's do the encrypted file first. Make sure no windows or terminals are open within the encrypted savefile's mountpoint, and then run the following commands:

Code: Select all

umount /mnt/data
losetup -d /dev/loop1
Next we'll unmount the old savefile. As before, close any windows or terminals that are inside that directory. You could then run the umount command, giving it the path, but if you mounted it by clicking like I advised above, you and unmount it by clicking as well.

Okay, now for the test. Reboot without making a new file. When Puppy boots it should pick up the encrypted file and prompt you for the password. When it finishes booting, you should be in what looks like your original Puppy. But everything is transparently being encrypted for you. If stuff is missing or it didn't prompt for a password, something went wrong. Otherwise, you can safely discard your old unencrypted file now.


Have fun, and remember that only things that would be saved within the save file are encrypted. If you save something directly to the drive (such as via /mnt/home/) it won't be encrypted. Also, keep in mind that encryption doesn't help you if you walk away from the computer while the system is running. It only helps you when it's shut down. And you are still susceptible to Van Eck Phreaking, among other really wacky attack vectors (picking up EMF from the keyboard, for example, or gleaning data from the RAM or swap files/partitions, etc.). None of this is a concern if you're only hiding from random punks. But if your enemies consist of large companies or governments or would-be alien overloards, you'll need to employ a higher level of paranoia. ;)
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#23 Post by Pizzasgood »

When I say to run something in a terminal, I mean to type it into the terminal window (or paste it) and then press the enter key.

In case you don't know how to paste code into a terminal window (ctrl-c doesn't paste in a terminal), read this thread:
http://www.murga-linux.com/puppy/viewtopic.php?p=259471

If you have any questions, ask. I realize the above post seems a bit technical if you haven't done this kind of stuff before.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

User avatar
technosaurus
Posts: 4853
Joined: Mon 19 May 2008, 01:24
Location: Blue Springs, MO
Contact:

#24 Post by technosaurus »

The easy way:

Just add this to your /root/.xinintrc before rox is called (or before jwm is called if you want to allow kiosk style access without jwm)

Code: Select all

[ "`Xdialog --stdout --password --inputbox "Please enter your password" 0 0`" != "woofwoof" ] && exit
#replace woofwoof with your password


...of course you could get more technical and obfuscate the password by using shc and compiling it into a binary
Check out my [url=https://github.com/technosaurus]github repositories[/url]. I may eventually get around to updating my [url=http://bashismal.blogspot.com]blogspot[/url].

User avatar
technosaurus
Posts: 4853
Joined: Mon 19 May 2008, 01:24
Location: Blue Springs, MO
Contact:

#25 Post by technosaurus »

Here is a basic template for a desktop selector:

Code: Select all

exec `Xdialog --no-tags --item-help --no-close --title "Puppy Desktop Selector" --no-cancel --stdout --icon mini-desktop.xpm --password --radiolist "Please select your desktop" 0 0 0 jwm jwm 0 "Ultra-light window manager with rox desktop" icewm-session icewm 0 "Another light window manager" lxde-session lxde 0 "Light-weight gtk2 desktop environment" e16 enlightenment 0 "Alternative desktop environment" xfce-session xfce 0 "Middle-weight full gtk2 desktop environment" gnome-session gnome 0 "Heavy-weight full gtk2 desktop environmnet" kde3-session kde3 "Qt3 based full desktop environment" 0 kde4-session kde4 0 "Qt4 based full desktop environment"`
Really each selection should be in its own variable such as
[ "`which jwm`" != "" ] && JWM="jwm jwm 0 \"Ultra-light window manager with rox desktop\""
#<executable> <name> <status> <mouse-over-text>

and then
#[ ! -f /etc/windowmanager ] && <--- this will make it go to the default if the file exists
#delete /etc/windowmanager to make the menu come up
[ ! -f /etc/windowmanager ] && exec `Xdialog --no-tags --item-help --no-close --title "Puppy Desktop Selector" --no-cancel --stdout --icon mini-desktop.xpm --password --radiolist "Please select your desktop" 0 0 0 $JWM $ICE $E16 $LXDE $XFCE $GNOME $KDE3 $KDE4

etcetera and so forth since I am just guessing at the startup commands, but it is a basic template to build on
Check out my [url=https://github.com/technosaurus]github repositories[/url]. I may eventually get around to updating my [url=http://bashismal.blogspot.com]blogspot[/url].

User avatar
bremer
Posts: 71
Joined: Wed 25 Feb 2009, 15:59

#26 Post by bremer »

How to change the password on an already encrypted pupsave?

jamesbond
Posts: 3433
Joined: Mon 26 Feb 2007, 05:02
Location: The Blue Marble

#27 Post by jamesbond »

Not that I know of. You need to create a new encrypted pupsave file (with the new password), and then mount it, and copy your data over, and delete the old pupsave file on next reboot.

Perhaps someone will create a script with GUI for this?
Fatdog64 forum links: [url=http://murga-linux.com/puppy/viewtopic.php?t=117546]Latest version[/url] | [url=https://cutt.ly/ke8sn5H]Contributed packages[/url] | [url=https://cutt.ly/se8scrb]ISO builder[/url]

Post Reply