I just had a peek at the anaconda source for Fedora 21. Apparently you can waive the password strength tests (and the non-ASCII tests) by simply clicking "Done" twice. def _checkPasswordASCII(self, inputcheck): """Set an error message if the password contains non-ASCII characters. Like the password strength check, this check can be bypassed by pressing Done twice. """ Kahlil (Kal) Hodgson GPG: C9A02289 Head of Technology (m) +61 (0) 4 2573 0382 DealMax Pty Ltd Suite 1416 401 Docklands Drive Docklands VIC 3008 Australia "All parts should go together without forcing. You must remember that the parts you are reassembling were disassembled by you. Therefore, if you can't get them together again, there must be a reason. By all means, do not use a hammer." -- IBM maintenance manual, 1925 On 5 February 2015 at 09:16, Lamar Owen <lowen@xxxxxxxx> wrote: > On 02/04/2015 04:55 PM, Warren Young wrote: >> >> Unless you have misconfigured your system, anyone who can copy /etc/shadow >> already has root privileges. They don’t need to crack your passwords now. >> You’re already boned. > > > Not exactly. > > There have been remotely exploitable vulnerabilities where an arbitrary file > could be read (not written), but otherwise root access wasn't given by the > exploit; that is, no shellcode per se. If you can somehow (buffer overflow > shellcode or something similar) get, say, httpd to return a copy of > /etc/shadow in a GET request, well, you don't have root, but you do have the > hashed passwords. It doesn't take an interactive root session, and may not > even leave a trace of the activity depending upon the particular bug being > exploited. > > Now, I have seen this happen, on a system in the wild, where the very first > thing the attacker did was grab a copy of /etc/shadow, even with an > interactive reverse shell and root access being had. So even when you > recover your system from the compromise you have the risk of all those > passwords being known, and unfortunately people have a habit of using the > same password on more than one system. > > Further, lists of usernames and passwords have market value. > > > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos