Re: Locking down a guest account - need help.
On Fri, Aug 03, 2001 at 12:46:10PM -0500, David Ehle wrote: Howdy all, Not debian specific, but this is the best batch of security minds I have access too so I figured I'd see if this interests anyone. I need to set up some Xterminal replacemnets - linux boxes that will mostly only be running netscape and ssh. They are going to be used for visiting staff/students/ect so they need a guest account with a bad password. Or, use kdm (instead of xdm). It lets you specify which users will be allowed to log in without typing their password. Thus, you leave the guest account with a strong password and don't tell it to anybody, but allow logins as guest from the console via kdm. (BTW, KDM is a decent replacement for XDM. It can launch whatever you want, not just kde.) This makes securing FTP, SSH, etc. a lot less worrisome. (you still might want to block the guest account out of a lot of stuff...) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE
Re: Locking down a guest account - need help.
On Fri, Aug 03, 2001 at 12:46:10PM -0500, David Ehle wrote: Howdy all, Not debian specific, but this is the best batch of security minds I have access too so I figured I'd see if this interests anyone. I need to set up some Xterminal replacemnets - linux boxes that will mostly only be running netscape and ssh. They are going to be used for visiting staff/students/ect so they need a guest account with a bad password. Or, use kdm (instead of xdm). It lets you specify which users will be allowed to log in without typing their password. Thus, you leave the guest account with a strong password and don't tell it to anybody, but allow logins as guest from the console via kdm. (BTW, KDM is a decent replacement for XDM. It can launch whatever you want, not just kde.) This makes securing FTP, SSH, etc. a lot less worrisome. (you still might want to block the guest account out of a lot of stuff...) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Locking down a guest account - need help.
On Fri, Aug 03, 2001 at 12:46:10PM -0500, David Ehle wrote: 1. How to dissallow network connections to this guest account? I don't want anyone ssh'ing in, but I still want to be able to remotely administer the machines. man sshd -- DenyUsers This keyword can be followed by a number of user names, separated by spaces. Login is disallowed for user names that match one of the patterns. `*' and `?' can be used as wildcards in the patterns. Only user names are valid, a numerical user id isn't recognized. By default login is allowed regardless of the username. there are similar DenyGroups, AllowUsers, and AllowGroups directives, too. This is *the* simplest solution. If you're PAM-savvy, there are options there, too (easiest is to use pam_listfile to allow/deny access to people listed in a particular file). However, it's really easy to shoot yourself in the foot with PAM. Plus, you'd certainly want to disable any other network access methods you can (ftp and friends). If all the people need to do is browse the web and ssh out, you can also make a firewall rule that allows traffic to and from any remote hosts port 22, 80, or 443. -- Mike Renfro / RD Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Locking down a guest account - need help.
On Sat, Aug 04, 2001 at 12:30:20AM +0200, Tobias wrote: Hello! you can disable password login in sshd and only run ssh with public key authentication, just don't forget to put a root owned non-writable folder or file called .ssh and .ssh2 in the accounts you do not wish people to log in to. And I agree with Jim Breton about locking down PAM as much as possible. Umm... Once you deny password login and only key based auth, how are they going to create the file in the first place? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Locking down a guest account - need help.
On Sat, Aug 04, 2001 at 12:30:20AM +0200, Tobias wrote: Hello! you can disable password login in sshd and only run ssh with public key authentication, just don't forget to put a root owned non-writable folder or file called .ssh and .ssh2 in the accounts you do not wish people to log in to. Putting a root-owned file in a directory owned by a user is not much help against a UNIX savvy-user. The user would still be able to rename the file(s). You could create the .ssh / .ssh2 directories or files (owned by root), and then use the ``chattr +i dirname'' command on each directory or file to protect it. This is for ext2fs only, but other filesystems may have equivalent commands. [FYI, chattr +i sets the immutable flag in the ext2 filesystem, rendering the file unchangable. chattr -i will remove the flag. Read the man page for more info.] Just my $0.02 worth, -- Eli Boaz ([EMAIL PROTECTED]) GNU/Linux: Free your computer from bad software. http://www.debian.org/ pgpLhGggWLlWK.pgp Description: PGP signature
Re: Locking down a guest account - need help.
On Fri, Aug 03, 2001 at 12:46:10PM -0500, David Ehle wrote: 1. How to dissallow network connections to this guest account? I don't want anyone ssh'ing in, but I still want to be able to remotely administer the machines. man sshd -- DenyUsers This keyword can be followed by a number of user names, separated by spaces. Login is disallowed for user names that match one of the patterns. `*' and `?' can be used as wildcards in the patterns. Only user names are valid, a numerical user id isn't recognized. By default login is allowed regardless of the username. there are similar DenyGroups, AllowUsers, and AllowGroups directives, too. This is *the* simplest solution. If you're PAM-savvy, there are options there, too (easiest is to use pam_listfile to allow/deny access to people listed in a particular file). However, it's really easy to shoot yourself in the foot with PAM. Plus, you'd certainly want to disable any other network access methods you can (ftp and friends). If all the people need to do is browse the web and ssh out, you can also make a firewall rule that allows traffic to and from any remote hosts port 22, 80, or 443. -- Mike Renfro / RD Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED]
Re: Locking down a guest account - need help.
On Sat, Aug 04, 2001 at 12:30:20AM +0200, Tobias wrote: Hello! you can disable password login in sshd and only run ssh with public key authentication, just don't forget to put a root owned non-writable folder or file called .ssh and .ssh2 in the accounts you do not wish people to log in to. And I agree with Jim Breton about locking down PAM as much as possible. Umm... Once you deny password login and only key based auth, how are they going to create the file in the first place?
Re: Locking down a guest account - need help.
On Sat, Aug 04, 2001 at 12:30:20AM +0200, Tobias wrote: Hello! you can disable password login in sshd and only run ssh with public key authentication, just don't forget to put a root owned non-writable folder or file called .ssh and .ssh2 in the accounts you do not wish people to log in to. Putting a root-owned file in a directory owned by a user is not much help against a UNIX savvy-user. The user would still be able to rename the file(s). You could create the .ssh / .ssh2 directories or files (owned by root), and then use the ``chattr +i dirname'' command on each directory or file to protect it. This is for ext2fs only, but other filesystems may have equivalent commands. [FYI, chattr +i sets the immutable flag in the ext2 filesystem, rendering the file unchangable. chattr -i will remove the flag. Read the man page for more info.] Just my $0.02 worth, -- Eli Boaz ([EMAIL PROTECTED]) GNU/Linux: Free your computer from bad software. http://www.debian.org/ PGP signature
Re: Locking down a guest account - need help.
On Fri, Aug 03, 2001 at 03:38:28PM -0700, Vineet Kumar wrote: * David Ehle ([EMAIL PROTECTED]) [010803 14:53]: Thanks Andrew, Thanks Jim. I'll layer them on and sleep better tonight ;). Stopping the middle button menu behavior is still causing me to pull my hair out though. Tried changing the behavior of the middle button in the /enlightenment/keybind.cfg file - both global and local version, but it doesn't seem to stop the menu function when you click on the desktop proper. Any super X guru's out there want to share their $.02? (IANAG) I've never tried this, but maybe you could just reconfigure X so that it thinks you're using a one-button mouse? Of course, you'd also want to disable the keyboard-mouse-emulation functionality. Overall, it seems like a weird way to go about sidestepping configurability. There must be other ways to change settings (gnome-control-center, e16menuedit, e16keyedit, etc) without the middle button. You should be able to do this by setting Buttons 2 in the mouse config of XFree. You can also use xmodmap to set the middle button to something else. -B -- Brandon High [EMAIL PROTECTED] If I worked as much as others, I would do as little as they. pgpOi5B2o4WPn.pgp Description: PGP signature
Locking down a guest account - need help.
Howdy all, Not debian specific, but this is the best batch of security minds I have access too so I figured I'd see if this interests anyone. I need to set up some Xterminal replacemnets - linux boxes that will mostly only be running netscape and ssh. They are going to be used for visiting staff/students/ect so they need a guest account with a bad password. The machines have to run X, - i'm using Sawmill/Gnome WM/DE for familiarity value for users. Now the problems I still need solutiosn for: 1. How to dissallow network connections to this guest account? I don't want anyone ssh'ing in, but I still want to be able to remotely administer the machines. 2. How do I either turn off the middle click menus in Gnome/enlightment/sawmill, or totaly disable/remap the middle button behavior? Right click is handled by oneclick.so (see www.dnalounge.com) but middle seems to go through. The problem I'm running into is that all the documentation is about how to set up public web stations, and I still want to preserve greater functionality for trusted users. Thanks in advance for help and advice! David. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Locking down a guest account - need help.
On Fri, Aug 03, 2001 at 01:56:26PM -0400, Andrew Lattis wrote: 1. Check the openssh man page for AllowGroups and AllowUsers, both allow you to specify users that are allowed to login, everyone else is denied. You can also disable access with PAM, using the sshd pam control file. Just use pam_deny.so to deny authentication. You should combine both methods mentioned above, as well as whatever else you can find... the old defense in depth adage applies here. :) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Locking down a guest account - need help.
* David Ehle ([EMAIL PROTECTED]) [010803 14:53]: Thanks Andrew, Thanks Jim. I'll layer them on and sleep better tonight ;). Stopping the middle button menu behavior is still causing me to pull my hair out though. Tried changing the behavior of the middle button in the /enlightenment/keybind.cfg file - both global and local version, but it doesn't seem to stop the menu function when you click on the desktop proper. Any super X guru's out there want to share their $.02? (IANAG) I've never tried this, but maybe you could just reconfigure X so that it thinks you're using a one-button mouse? Of course, you'd also want to disable the keyboard-mouse-emulation functionality. Overall, it seems like a weird way to go about sidestepping configurability. There must be other ways to change settings (gnome-control-center, e16menuedit, e16keyedit, etc) without the middle button. I wonder, though, if disabling the middle-click is really the level of security you want. What if you just chmod u-w all the relevant dotfiles once you've gotten it set up the way you like? As for ssh, it does sound to me like AllowUsers and AllowGroups are the feature you're looking for. For something a little extra, you may also go so far as to only allow connections from your workstation in a few different ways: ignore users' host key files and only have your desktop's host key in the known_hosts\(2\)? file. TCP wrappers. ip\(chains|tables\) Disallow password logins and add a from= option in the authorized_keys\(2\)? file. Not that all of those are necessary in your case, but you should know that there are a number of ways to get whatever level of access control you desire with these systems working together. Vineet PGP signature
Locking down a guest account - need help.
Howdy all, Not debian specific, but this is the best batch of security minds I have access too so I figured I'd see if this interests anyone. I need to set up some Xterminal replacemnets - linux boxes that will mostly only be running netscape and ssh. They are going to be used for visiting staff/students/ect so they need a guest account with a bad password. The machines have to run X, - i'm using Sawmill/Gnome WM/DE for familiarity value for users. Now the problems I still need solutiosn for: 1. How to dissallow network connections to this guest account? I don't want anyone ssh'ing in, but I still want to be able to remotely administer the machines. 2. How do I either turn off the middle click menus in Gnome/enlightment/sawmill, or totaly disable/remap the middle button behavior? Right click is handled by oneclick.so (see www.dnalounge.com) but middle seems to go through. The problem I'm running into is that all the documentation is about how to set up public web stations, and I still want to preserve greater functionality for trusted users. Thanks in advance for help and advice! David.
Re: Locking down a guest account - need help.
On Fri, 03 Aug 2001 13:46:10 David Ehle wrote: Howdy all, Not debian specific, but this is the best batch of security minds I have access too so I figured I'd see if this interests anyone. I need to set up some Xterminal replacemnets - linux boxes that will mostly only be running netscape and ssh. They are going to be used for visiting staff/students/ect so they need a guest account with a bad password. The machines have to run X, - i'm using Sawmill/Gnome WM/DE for familiarity value for users. Now the problems I still need solutiosn for: 1. How to dissallow network connections to this guest account? I don't want anyone ssh'ing in, but I still want to be able to remotely administer the machines. 2. How do I either turn off the middle click menus in Gnome/enlightment/sawmill, or totaly disable/remap the middle button behavior? Right click is handled by oneclick.so (see www.dnalounge.com) but middle seems to go through. The problem I'm running into is that all the documentation is about how to set up public web stations, and I still want to preserve greater functionality for trusted users. Thanks in advance for help and advice! David. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] 1. Check the openssh man page for AllowGroups and AllowUsers, both allow you to specify users that are allowed to login, everyone else is denied. 2. For enlightenment you should be able to remove the keybindings for the mouse button(s) you wish to disable. /usr/share/enlightenment/config/keybindings.cfg is the global keybindings config, or you could copy that to ~/.enlightenment if you just wanted to disable them for one user. the mouse buttons are at the top of the default config in potato. e16keyedit provied a gui for editing these keybindings, it doesn't appear to be packaged in potatoe though. not sure about gnome or sawmill, but i'm guessing its something similar.
Re: Locking down a guest account - need help.
On Fri, Aug 03, 2001 at 01:56:26PM -0400, Andrew Lattis wrote: 1. Check the openssh man page for AllowGroups and AllowUsers, both allow you to specify users that are allowed to login, everyone else is denied. You can also disable access with PAM, using the sshd pam control file. Just use pam_deny.so to deny authentication. You should combine both methods mentioned above, as well as whatever else you can find... the old defense in depth adage applies here. :)
Re: Locking down a guest account - need help.
Thanks Andrew, Thanks Jim. I'll layer them on and sleep better tonight ;). Stopping the middle button menu behavior is still causing me to pull my hair out though. Tried changing the behavior of the middle button in the /enlightenment/keybind.cfg file - both global and local version, but it doesn't seem to stop the menu function when you click on the desktop proper. Any super X guru's out there want to share their $.02? Thanks, David. On Fri, 3 Aug 2001, Jim Breton wrote: On Fri, Aug 03, 2001 at 01:56:26PM -0400, Andrew Lattis wrote: 1. Check the openssh man page for AllowGroups and AllowUsers, both allow you to specify users that are allowed to login, everyone else is denied. You can also disable access with PAM, using the sshd pam control file. Just use pam_deny.so to deny authentication. You should combine both methods mentioned above, as well as whatever else you can find... the old defense in depth adage applies here. :) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Locking down a guest account - need help.
On Fri, Aug 03, 2001 at 08:09:25PM +, Jim Breton wrote: You can also disable access with PAM, using the sshd pam control file. Just use pam_deny.so to deny authentication. /me pops foot out of mouth When I wrote that I was not considering your previous statement of needing to still be able to log in normally with other accounts. My advice would have locked you out completely... so... don't use it. *8) Sorry. Something that _will_ work though (and I think I had this in mind when writing my first post but somehow confused myself) would be to make use of pam's /etc/security/access.conf. Here you can specify which users can log in on which ttys. HTH, for real this time. ;)
Re: Locking down a guest account - need help.
Hello! you can disable password login in sshd and only run ssh with public key authentication, just don't forget to put a root owned non-writable folder or file called .ssh and .ssh2 in the accounts you do not wish people to log in to. And I agree with Jim Breton about locking down PAM as much as possible. /Tobias On Fri, Aug 03, 2001 at 10:13:03PM +, Jim Breton wrote: On Fri, Aug 03, 2001 at 08:09:25PM +, Jim Breton wrote: You can also disable access with PAM, using the sshd pam control file. Just use pam_deny.so to deny authentication. -- todays excuse BOFH excuse #322: Your Pentium has a heating problem - try cooling it with ice cold water.(Do not turn of your computer, you do not want to cool down the Pentium Chip while he isn't working, do you?) pgpyi3yB8ayUB.pgp Description: PGP signature
Re: Locking down a guest account - need help.
* David Ehle ([EMAIL PROTECTED]) [010803 14:53]: Thanks Andrew, Thanks Jim. I'll layer them on and sleep better tonight ;). Stopping the middle button menu behavior is still causing me to pull my hair out though. Tried changing the behavior of the middle button in the /enlightenment/keybind.cfg file - both global and local version, but it doesn't seem to stop the menu function when you click on the desktop proper. Any super X guru's out there want to share their $.02? (IANAG) I've never tried this, but maybe you could just reconfigure X so that it thinks you're using a one-button mouse? Of course, you'd also want to disable the keyboard-mouse-emulation functionality. Overall, it seems like a weird way to go about sidestepping configurability. There must be other ways to change settings (gnome-control-center, e16menuedit, e16keyedit, etc) without the middle button. I wonder, though, if disabling the middle-click is really the level of security you want. What if you just chmod u-w all the relevant dotfiles once you've gotten it set up the way you like? As for ssh, it does sound to me like AllowUsers and AllowGroups are the feature you're looking for. For something a little extra, you may also go so far as to only allow connections from your workstation in a few different ways: ignore users' host key files and only have your desktop's host key in the known_hosts\(2\)? file. TCP wrappers. ip\(chains|tables\) Disallow password logins and add a from= option in the authorized_keys\(2\)? file. Not that all of those are necessary in your case, but you should know that there are a number of ways to get whatever level of access control you desire with these systems working together. Vineet pgpMTzIxlvnau.pgp Description: PGP signature