Re: ssh and root logins
Russell Coker [EMAIL PROTECTED] wrote: Ideally we would be able to specify a list of acceptable IP addresses for each account, both in a central file and in per-user config files. It would be really great if someone would write code to do this! It is already possible to specify such a list in a system-wide configuration file (sshd_config): | AllowUsers | [...] | If the pattern takes the form [EMAIL PROTECTED] then USER and | HOST are separately checked, restricting logins to | particular users from particular hosts. sshd_config(5) And when using keypair authentication, ordinary users can restrict the hosts their keys may be used from as well: | AUTHORIZED_KEYS FILE FORMAT | [...] | from=pattern-list | Specifies that in addition to RSA authentication, the | canonical name of the remote host must be present in the | comma-separated list of patterns sshd(8) Paul -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh and root logins
On Tue, 10 Aug 2004 20:52, Dale E Martin [EMAIL PROTECTED] wrote: I've noticed a fair number of attempted root logins on my various boxes Same here. Also attempted logins to test, admin, and some other accounts. over the last few weeks. I don't know if there is a new ssh vulnerability (that thus far appears to be ineffective with my config) or if they are attempting one of the old ones... It appears to be just password guessing. Anyways, I would like to disable password logins for root on several of my boxes but allow root to come in from known IPs and with known ssh keys. Is there a way to disable password logins for root in sshd_config or root/.ssh/config, while leaving password logins intact for regular users? Ideally we would be able to specify a list of acceptable IP addresses for each account, both in a central file and in per-user config files. It would be really great if someone would write code to do this! Of course this wouldn't necessarily cover you against a bug in sshd... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh and root logins
I've noticed a fair number of attempted root logins on my various boxes i only have 1 important box yet i'm getting the same thing also. by the way, won't leaving only console in /etc/securetty disallow remote root logins? i did it and my box still accepts remote root logins. any ideas why? shannon __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh and root logins
by the way, won't leaving only console in /etc/securetty disallow remote root logins? i did it and my box still accepts remote root logins. any ideas why? I don't know why that doesn't work but if you want to totally disable ssh login for root put PermitRootLogin no in /etc/ssh/sshd_config. Later, Dale -- Dale E. Martin, Clifton Labs, Inc. Senior Computer Engineer [EMAIL PROTECTED] http://www.cliftonlabs.com pgp key available -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh and root logins
On Tuesday 10 August 2004 10:52, Dale E Martin wrote: Anyways, I would like to disable password logins for root on several of my boxes but allow root to come in from known IPs and with known ssh keys. Is there a way to disable password logins for root in sshd_config or root/.ssh/config, while leaving password logins intact for regular users? Would it work to disable all ssh password logins and only allow logins with the proper private key? I find this most secure--no more worries about password cracks (I just have to worry about the physical security of the USB key on my keychain). Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh and root logins
Dale E Martin wrote: Anyways, I would like to disable password logins for root /etc/ssh/sshd_config: PermitRootLogin no You will have to login as ordinary user, and than do su -. Use tcpwrappers to limit users and IP addresses: /etc/hosts.allow: sshd: [EMAIL PROTECTED] but it works only if sshd is compiled with libwrap.so.0, or if it is controlled by inetd (see intetd.conf, or xinetd.conf). If you use standalone ssh daemon, try ldd /usr/sbin/sshd If there is no libwrap, you will have to compile source code with this flag: --with-libwrap Hope it helps. Aco Dmitrovic University Computing Centre Zagreb Croatia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh and root logins
On August 10, 2004 08:30 am, Shannon R. wrote: i only have 1 important box yet i'm getting the same thing also. by the way, won't leaving only console in /etc/securetty disallow remote root logins? i did it and my box still accepts remote root logins. any ideas why? Because ssh doesn't refer to that file. You can probably make it check the file by adding something like auth requisite pam_securetty.so to /etc/pam.d/ssh (note that's completely untested so don't try it remotely of course). If you do try it let us know how it works out. -- Fraser Campbell [EMAIL PROTECTED] http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh and root logins
/etc/ssh/sshd_config: PermitRootLogin no You will have to login as ordinary user, and than do su -. That's not so convenient for doing nightly rsync backups over ssh though. I know what keys to expect coming in for this - hence the question about disallowing password login for root, but still allowing root login with known keys. Use tcpwrappers to limit users and IP addresses: /etc/hosts.allow: sshd: [EMAIL PROTECTED] Currently I have not seen attacks on normal user accounts and don't feel the tradeoff of limiting normal users (who are all trusted in my case) is worth the hassle. Obviously this might not be true any more in the future. Thanks, Dale -- Dale E. Martin, Clifton Labs, Inc. Senior Computer Engineer [EMAIL PROTECTED] http://www.cliftonlabs.com pgp key available -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh and root logins
Would it work to disable all ssh password logins and only allow logins with the proper private key? I'm not sure, I'd have to check with my Windows users who do CVS checkouts via ssh and see if their clients would support that. I suppose it might work. I'd still like to see a way to specify on a per-account basis or at least see root as a special case. I find this most secure--no more worries about password cracks (I just have to worry about the physical security of the USB key on my keychain). As Russell mentioned, you also have to worry about client security - physical as well as password security of your user's accounts if they're coming in on machines that allow password login, etc... But in general it might be a better way to go. I'll mull it over. Thanks, Dale -- Dale E. Martin, Clifton Labs, Inc. Senior Computer Engineer [EMAIL PROTECTED] http://www.cliftonlabs.com pgp key available -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh and root logins
Hey Mark! Are you looking for PermitRootLogin without-password instead of PermitRootLogin yes in /etc/ssh/sshd_config ? Mark Bucciarelli wrote: On Tuesday 10 August 2004 10:52, Dale E Martin wrote: Anyways, I would like to disable password logins for root on several of my boxes but allow root to come in from known IPs and with known ssh keys. Is there a way to disable password logins for root in sshd_config or root/.ssh/config, while leaving password logins intact for regular users? Would it work to disable all ssh password logins and only allow logins with the proper private key? I find this most secure--no more worries about password cracks (I just have to worry about the physical security of the USB key on my keychain). Regards, Mark -- Andreas John net-lab GmbH Luisenstrasse 30b 63067 Offenbach Tel: +49 69 85700331 http://www.net-lab.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh and root logins
Well, hows about the following (straight from man sshd_config)... Doh! (Slapping forehead!) PermitRootLogin without-password Which basically means allow root to login, but with key exchange only. Funky, innit. I read the mangpage nad I noted the forced-commands-only, somehow I did not see without-password. Well there ya go! RTFM as usual. Thanks, that's exactly what I was looking for! Dale -- Dale E. Martin, Clifton Labs, Inc. Senior Computer Engineer [EMAIL PROTECTED] http://www.cliftonlabs.com pgp key available -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh and root logins
Russell Coker wrote: On Tue, 10 Aug 2004 20:52, Dale E Martin [EMAIL PROTECTED] wrote: I've noticed a fair number of attempted root logins on my various boxes Same here. Also attempted logins to test, admin, and some other accounts. ^ ^ ^ ^ ^ ^ ^ ^^ Uh man, I should re-think my strategy in hacking linux boxen! :-) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh and root logins
On Tue, Aug 10, 2004 at 09:38:16AM -0400, Dale E Martin wrote: Would it work to disable all ssh password logins and only allow logins with the proper private key? I'm not sure, I'd have to check with my Windows users who do CVS checkouts via ssh and see if their clients would support that. I suppose it might work. I'd still like to see a way to specify on a per-account basis or at least see root as a special case. Well, hows about the following (straight from man sshd_config)... PermitRootLogin without-password Which basically means allow root to login, but with key exchange only. Funky, innit. Cheers, Brett Parker. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh and root logins
On Tue, Aug 10, 2004 at 09:31:38AM -0400, Dale E Martin wrote: PermitRootLogin no You will have to login as ordinary user, and than do su -. That's not so convenient for doing nightly rsync backups over ssh though. I know what keys to expect coming in for this - hence the question about disallowing password login for root, but still allowing root login with known keys. PermitRootLogin without-password lets you use ssh keys to login as root, but not passwords. If you have an ssh key lying about without a passphrase, who's sole purpose is for backups, you may want to do the following in your authorized_keys file (all on one line): from=10.20.30.40,command=/usr/local/sbin/ssh_command_allow_rsync,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa .insert actual key here== backup_key where 10.20.30.40 is the IP that backups will be originating from. The script /usr/local/sbin/ssh_command_allow_rsync is something like: #!/bin/sh # When used as the 'command' option in an authorized_keys file, this script # permits only rsync backups to occur. case $SSH_ORIGINAL_COMMAND in rsync\ --server\ --sender\ *) logger -p auth.notice rsync/ssh backup: $SSH_ORIGINAL_COMMAND exec $SSH_ORIGINAL_COMMAND ;; *) logger -p auth.alert unexpected use of backup key: $SSH_ORIGINAL_COMMAND ;; esac echo Sorry, that command is not allowed. 12 exit 1 This lets the backup key *only* run rsync in server mode. I /believe/ this means that (short of finding a buffer overflow in rsync) logins with this ssh key will only be able to read files, and not be able to change anything. Though if anybody can find any flaws in this scheme, I'd like to know :) Bernard. -- Bernard Blackham bernard at blackham dot com dot au -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh and root logins
This one time, at band camp, Bernard Blackham said: This lets the backup key *only* run rsync in server mode. I /believe/ this means that (short of finding a buffer overflow in rsync) logins with this ssh key will only be able to read files, and not be able to change anything. Though if anybody can find any flaws in this scheme, I'd like to know :) As is kind of obvious, if I can compromise that key, I can do rsync -e ssh --delete /some/empty/dir [EMAIL PROTECTED]:/ or something, which isn't very nice :) Admittedly though, if you use rsync for backups, you have to take this kind of chance, I think - I'm not sure how else to proceed. I do like the idea of your script - it takes things one step further than I have. TTYL, -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp3B80VAFGnt.pgp Description: PGP signature
Re: ssh and root logins
This one time, at band camp, Stephen Gran said: This one time, at band camp, Bernard Blackham said: This lets the backup key *only* run rsync in server mode. I /believe/ this means that (short of finding a buffer overflow in rsync) logins with this ssh key will only be able to read files, and not be able to change anything. Though if anybody can find any flaws in this scheme, I'd like to know :) As is kind of obvious, if I can compromise that key, I can do rsync -e ssh --delete /some/empty/dir [EMAIL PROTECTED]:/ or something, which isn't very nice :) Err, disregard - I just now noticed the --server _--sender_ part of it - no you should be fine, since that only allows pull jobs. Sorry about that, -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpuH1Rddv7wy.pgp Description: PGP signature
Re: ssh and root logins
* Stephen Gran ([EMAIL PROTECTED]) [040810 17:40]: This one time, at band camp, Bernard Blackham said: This lets the backup key *only* run rsync in server mode. I /believe/ this means that (short of finding a buffer overflow in rsync) logins with this ssh key will only be able to read files, and not be able to change anything. Though if anybody can find any flaws in this scheme, I'd like to know :) As is kind of obvious, if I can compromise that key, I can do rsync -e ssh --delete /some/empty/dir [EMAIL PROTECTED]:/ or something, which isn't very nice :) I use commands like command=rsync --server -logDtpr --delete . /home/aba/bts/spohr/data So I know exactly what directory can be changed and what not. (For backup rsyncs, you can just fix it on the other direction, so not so much harm can be done, because only write, and no read is possible.) Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]