For those of you that simply download the
ISO, burn it and boot it, the quick answer to
this question is: "You get to set/choose the password for the
root
user each time you boot the Network Security Toolkit
CD." After doing so you will be able to log
in as root
with the password that you
specified.
For those of you that simply download the VMware virtual
image and boot it the quick answer to this question is:
"nst2003
" (this should be documented in the
README.txt
file).
Addressing the issue of the default password for the
root
user has been time consuming. This
sounds like such a simple problem, but has caused Ron and I
headaches in coming up with a proper balance between security
and convenience. Here are some of the issues we need to deal
with:
There are people who use the Network Security Toolkit to learn about both network security and the Linux operating system. These people may inadvertantly boot up a Network Security Toolkit probe connected to the Internet without running the nstpasswd command to reset the default password. While this may be convenient, it leads to an insecure system which others could easily gain access to.
Some Network Security Toolkit probe systems do not have keyboards or displays attached (this is actually our targeted platform for a running Network Security Toolkit probe). This makes running the nstpasswd command inconvenient as one will either need to connect a serial terminal or make a network ssh connection in order to change the passwords.
Those who build their own ISO image from the source can set a custom password so that their Network Security Toolkit probe will be secure at boot time. This will be inconvenient (as building a Network Security Toolkit ISO image from scratch takes a considerable amount of time and effort).
Sometimes, one might choose one of the boot options
(like mbase
) which doesn't load in the
utilities of the CD. In this situation,
we can't run the nstpasswd command as all
of the files that need to be updated have not yet been
loaded into RAM. However, in this
situation, the network functionality of the Network Security Toolkit system is
not running, so the system is still secure at this point (as
long as someone doesn't have physical access to the system,
they can't make use of it).
We want to provide a ISO image that is
easy for everyone to burn and use, but at the same time we don't
like the idea of thousands of Network Security Toolkit probes being connected to
the Internet with open access for anyone who knows to log in as
root
with a single known password.
So, starting with release 1.0.5
of the
Network Security Toolkit, we've decided that we will force the running of the
nstpasswd command for everyone who simply
downloads the ISO image, burns it and boots
it. This will add some inconvenience, but will enforce a better
form of security than simply "hoping" that everyone remembers to
run nstpasswd.
We only force you to set the password if you select one
of the boot options that loads the utilities off of the
CD. If you select the
mbase
option at the boot screen, we will
not force you to set a new password and fall back to the
default of nst2003
(or
nst@2003
for versions prior to
1.4.2
) for the root
user. A system booted in this fashion is secure as network
functions are not enabled.
This will be inconvenient for those that want to use a system which doesn't have a keyboard or display (its awfully tough to type in a new password without a keyboard).
We have found that it is possible for us to modify the contents of a ISO image prior to burning a CD. So, with each new release, we will provide a nstisopasswd-2.11.0.bash script which you can use to set the password in the ISO image.
If you use the
nstisopasswd-2.11.0.bash script on the
nst-2.11.0.iso
file and then burn it to
a CD, you won't be forced to set the password
each time you boot the CD and your Network Security Toolkit
probe will be secure at boot time.
You should be able to find the nstisopasswd-VERSION.bash script near the top of the manifest associated with your version of the NST. You can find links to the manifests for the current releases on the left hand side of the NST home page (http://www.networksecuritytoolkit.org/).