fritzmp
Biker Tux
Premium
join:2001-08-29
Warrenton, VA
clubs:
| reply to dom6791
Re: Little Known Tips and Tricks...
Security SSH PAM and USERS: Based on RH so file location may vary
edit /etc/ssh/sshd-config
change
#Protocol 2,1
to just 2
Protocol 2
#uncomment the line
This will keep ssh to fall to a protocol 1 session where you can have man in the middle issues.
change
#PermitRootLonin yes
to
PermitRootLonin no
#uncoment the line
Root does not need to login
save and exit
add your username to the wheel group
usermod -G wheel username
edit /etc/pam.d/su
# Uncomment the following line to require a user to be in the "wheel" group.
auth required /lib/security/pam_wheel.so use_uid
now you have only the users you want to su - and no external root logins and shell access you now have control some what. You do need to trust those you give access.
--
NTFS Killed My Parents. Get Freed A small band of FreeBSD users are working together in the shadows, observing, honing their skills, building their numbers, and plotting their future.
[text was edited by author 2003-03-04 15:31:22] |
|
severely depressed
@covad.net
| Since you bring up the sshd_config script, I do have a question.
Can you prohibit the login of other users besides root this way? If so, how?
I ask because my leetle old mother compete with foo-foo dog (pomeranian) insists on simple login passwords. She claims to be feeble minded (-heh-). So I'd like to have remote access for me via 'ssh' and prohibit remote login of all other users on her machine.
TIA
 |
|
fritzmp
Biker Tux
Premium
join:2001-08-29
Warrenton, VA
clubs:
| said by severely depressed:
Since you bring up the sshd_config script, I do have a question.
Can you prohibit the login of other users besides root this way? If so, how?
I ask because my leetle old mother compete with foo-foo dog (pomeranian) insists on simple login passwords. She claims to be feeble minded (-heh-). So I'd like to have remote access for me via 'ssh' and prohibit remote login of all other users on her machine.
TIA
You can
edit and add to /etc/pam.d/login
auth required /lib/security/pam_listfile.so onerr=succeed item=user sense=deny file=/etc/nologinusers
vi /etc/nologinusers
and users one per line you wish to deny access
easier and better
edit /etc/security/access.config add
-:ALL EXCEPT you_user_or_group
This is good to use with the previous post above.
PAM is pretty versatile and you can restrict allow by day time location as well as users and groups.
--
NTFS Killed My Parents. Get Freed A small band of FreeBSD users are working together in the shadows, observing, honing their skills, building their numbers, and plotting their future.
[text was edited by author 2003-03-05 22:58:03] |
|
cwnorris
join:2000-01-17
Longmont, CO
 ·Mesa Networks
| said by fritzmp  :
You can
edit and add to /etc/pam.d/login
easier and better
edit /etc/security/access.config
This is good to use with the previous post above.
If you don't use PAM or are running a distro that doesn't have /etc/security/access.conf (Slack has neither), you can use the sshd_config to set this:
AllowUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. If specified, login is allowed only for
users names that match one of the patterns. `*' and `'? can be
used as wildcards in the patterns. Only user names are valid; a
numerical user ID is not recognized. By default, login is
allowed for all users. If the pattern takes the form USER@HOST
then USER and HOST are separately checked, restricting logins to
particular users from particular hosts. |
|
KE7JFF
SKU CHECK
join:2001-12-01
Hillsboro, OR | reply to severely depressed
Having Problems with the kernel or hardware? Use this command:
tail /var/log/messages
it shows what going on with the kernel, as well as some other system activities. |
|
bbrkdub
join:2001-10-03
Houston, TX
 ·Comcast
| quote:
Having Problems with the kernel or hardware? Use this command:
tail /var/log/messages
Don't forget you can watch for data as it's being appended.
# tail -f *logfile*
--
Hope this helps... |
|
rocketspeed
No Tag
Premium
join:2000-01-24
Murrieta, CA | reply to fritzmp
Great tip ---
Seems like Mandrake 9 enables root login by default. I have been asked during installation on other installs whether or not to allow root login.
Just don't forget to restart the sshd .
> service sshd restart |
|
seriously depressed
@covad.net
| reply to cwnorris
This was the clue I was looking for. And wonder of wonders, after I read your post, it occurred to me to look at:
# man sshd_config
And I found what you were quoting from.
For some reason, I assumed all the comments in sshd_config were all the documentation there was ...
Doh!
And thank you |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
·Optimum Online
| reply to rocketspeed
said by rocketspeed :
Just don't forget to restart the sshd .
> service sshd restart
Not to dis the Linux distros or anything, but if you want to "grow beyond" the "service blah blah" scripts and restart daemons, there are other ways to do this. Perhaps one day you'll have to work on a system (linux or otherwise) that does not have a bunch of rc.d scripts.
Many daemons like to put files in "/var/run/". You'll probably find something like "/var/run/sshd.pid". Other daemons may have similarly named files there; ie: daemonname.pid.
Let's say you want to HUP sshd to have it re-read it's config (this will NOT kill your current connection). You can do something like this:
kill -HUP `cat /var/run/sshd.pid`
That results in sending the sshd process a HUP signal. The stuff between the backticks will be executed, so this is the equivalent of "cat'ing" the /var/run/sshd.pid file, reading the result (which is just the process id of the parent sshd process) and then typing "kill -HUP xxx".
To follow on to Steve's xargs madness, let's say you've got some daemon process that is just running away. It's spawning more and more processes and "service blah stop" is not doing anything for you. Here's a cute way to kill all of those processes with the "big hammer":
ps -auxwww | grep "daemonname" | awk '{print $2}' | xargs kill -9
That will seek out all processes running named "daemonname", awk is snatching the second column that has the pid number, and xargs passes that as an argument to the big hammer called "kill -9". Use that one wisely, or start with a "-1". You can match on anything in the ps output as well, such as a particular username. I use a lot of "w's" with ps in case the program is started with an insanely long path. |
|
Eatmeingreek
Gentard
join:2001-06-29
San Francisco, CA
| said by sporkme :
ps -auxwww | grep "daemonname" | awk '{print $2}' | xargs kill -9
Not to nitpick, but "-aux" are the correct ps switches for BSDish Unices ( sporkme is down with *BSD.) For AT&Tish Unices I suggest "-efa". I believe Linux won't choke on "-aux", but I'm pretty sure Solaris will.
--
We must destroy liberty to make the homeland safe for democracy |
|
fritzmp
Biker Tux
Premium
join:2001-08-29
Warrenton, VA
clubs:
| reply to cwnorris
said by cwnorris :
said by fritzmp :
You can
edit and add to /etc/pam.d/login
easier and better
edit /etc/security/access.config
This is good to use with the previous post above.
If you don't use PAM or are running a distro that doesn't have /etc/security/access.conf (Slack has neither), you can use the sshd_config to set this:
AllowUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. If specified, login is allowed only for
users names that match one of the patterns. `*' and `'? can be
used as wildcards in the patterns. Only user names are valid; a
numerical user ID is not recognized. By default, login is
allowed for all users. If the pattern takes the form USER@HOST
then USER and HOST are separately checked, restricting logins to
particular users from particular hosts.
I was playing around and find that for ssh sessions cwnorris method is the easiest and safests for no0bs.
NEXT BIG TIP
When working on tightening up authentication and security have Two Terminals Open because if you lock your self out of your box you will then learn about single user login to recover.:)
PAM and Login will lock you out at the box, so take heed.
--
NTFS Killed My Parents. Get Freed A small band of FreeBSD users are working together in the shadows, observing, honing their skills, building their numbers, and plotting their future. |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by fritzmp :
NEXT BIG TIP
When working on tightening up authentication and security have Two Terminals Open because if you lock your self out of your box you will then learn about single user login to recover.:)
PAM and Login will lock you out at the box, so take heed.
Everybody learns this eventually, and the only question is "easy way" or "hard way" |
|
freerock
Premium
join:2001-05-04
New York, NY
| reply to severely depressed
edit: man I need some sleep
[text was edited by author 2003-03-10 22:55:14] |
|
