| View previous topic :: View next topic |
| Author |
Message |
peehole
n00b
Joined: 27 Jun 2002
Posts: 22
|
 Posted: Mon Sep 09, 2002 9:44 pm Post subject: SSH Users... |
 |
|
Not sure if this is the appropriate forum for this...
I added my underprivlidged user to the sshd group (kuser) but he still cannot login? Also, is it better to have xinetd handle the requests for SSH?
Thanks |
|
| Back to top |
|
 |
rac
Bodhisattva
Joined: 30 May 2002
Posts: 6553
Location: Japanifornia
|
| Posted: Mon Sep 09, 2002 9:52 pm Post subject: Re: SSH Users... |
|
|
| peehole wrote: | | Not sure if this is the appropriate forum for this... |
Looks fine to me.
| Quote: | | I added my underprivlidged user to the sshd group (kuser) |
This should not be necessary.
| Quote: | | but he still cannot login? |
Are you sure your user has a login shell? What is the last field of the /etc/passwd entry for him?
| Quote: | | Also, is it better to have xinetd handle the requests for SSH? |
I don't think so, and neither does the default Gentoo installation. By default, sshd runs in standalone mode, and xinetd (or any inetd, for that matter), is not needed at all in many Gentoo installations. I have yet to install an inetd on any Gentoo machine.
_________________
For every higher wall, there is a taller ladder |
|
| Back to top |
|
|
peehole
n00b
Joined: 27 Jun 2002
Posts: 22
|
| Posted: Mon Sep 09, 2002 10:03 pm Post subject: sshd |
|
|
Thanks..
User did not have a login shell...
What would you suggest for security around sshd? |
|
| Back to top |
|
|
rac
Bodhisattva
Joined: 30 May 2002
Posts: 6553
Location: Japanifornia
|
| Posted: Mon Sep 09, 2002 10:36 pm Post subject: Re: sshd |
|
|
| peehole wrote: | | What would you suggest for security around sshd? |
Some or all of the following, depending on your situation: - Use an IP filtering firewall to block access to it from hosts you don't need to access it.
- Use tcpwrappers support (/etc/hosts.allow and /etc/hosts.deny) to further restrict access
- Do not permit root to log in via ssh
- Disable SSH protocol 1
- Disable password authentication, allowing only public key authentication
- Enable privilege separation
_________________
For every higher wall, there is a taller ladder |
|
| Back to top |
|
|
klieber
Bodhisattva
Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA
|
| Posted: Tue Sep 10, 2002 12:56 am Post subject: Re: SSH Users... |
|
|
| peehole wrote: | | I added my underprivlidged user to the sshd group (kuser) but he still cannot login? Also, is it better to have xinetd handle the requests for SSH? |
Unless you specifically add:
to your /etc/ssh/sshd_config file, sshd doesn't look at the sshd group memebership since that line isn't in the config file by default. (at least, not on Gentoo)
--kurt
_________________
The problem with political jokes is that they get elected |
|
| Back to top |
|
|
kashani
Advocate
Joined: 02 Sep 2002
Posts: 2032
Location: San Francisco
|
| Posted: Wed Sep 11, 2002 5:31 am Post subject: Re: SSH Users... |
|
|
| peehole wrote: | is it better to have xinetd handle the requests for SSH?
Thanks |
Actually its a really bad idea. sshd will be started each time a user connects and will generate new keys which will cause a few second delay for the passwd prompt. It may not be as dramatic as it was when I made the mistake of doing the same thing using ssh 1.2.x on a Sparc 2. I believe it was almost a minute before I got a prompt. 
rac's suggestions covered just about all the security features except two.
1. chroot jail for users
This is a big pain in the ass and will take you some time to get things working well for all users. Unless you're at least an intermediate user/admin I'd stay away from this.
2. scponly shell
This is a special shell for users that only allows them to scp or sftp into their account. There are some problems with this, but it's a nice solution if you don't want users to have login priveleges. You can find it by searching for scponly on freshmeat.net.
kashani
_________________
Will personally fix your server in exchange for motorcycle related shop tools in good shape. |
|
| Back to top |
|
|
Xor
Tux's lil' helper
Joined: 07 Jul 2002
Posts: 144
|
| Posted: Wed Sep 11, 2002 1:02 pm Post subject: |
|
|
hi,
| Quote: | 2. scponly shell
This is a special shell for users that only allows them to scp or sftp into their account. There are some problems with this, but it's a nice solution if you don't want users to have login priveleges. You can find it by searching for scponly on freshmeat.net. |
cool... do you have first-hand intel about it? Would be nice to have some info (especialy the problems you mentioned)
tnx
xor |
|
| Back to top |
|
|
kashani
Advocate
Joined: 02 Sep 2002
Posts: 2032
Location: San Francisco
|
| Posted: Thu Sep 12, 2002 6:42 am Post subject: scponly problems |
|
|
Installation
No problems under gentoo. I think by default it adds a line in your /etc/shells file, but you should double check. Then it's just a matter of setting users to use the scponly shell vs /bin/bash or whatever.
sftp server
I had problems getting sftp to work for users with the scponly shell. The fix was to create a sym link to the sftp-server in the users path. Something like
ls -sf /usr/lib/misc/sftp-server /usr/local/bin/sftp-server
security
There were some security issues discovered last month. Apparently a user can modify their environment variables via their local .ssh folder which would allow the to excute code. The fix is to own their home dir to root and create a sub folder owned by the user for the user's use.
Hope that helps.
kashani
_________________
Will personally fix your server in exchange for motorcycle related shop tools in good shape. |
|
| Back to top |
|
|
|
Networking & Security
