- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Deny just ssh root clone logins
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-25-2005 10:29 PM
тАО01-25-2005 10:29 PM
Deny just ssh root clone logins
My question is: Is it possible to deny ssh root clones logins, but allow ssh root login?
I've read the very interesting thread about
"Deny ssh root logins, but allow ssh remote commands?" but my problem is a bit different.
I'd like to deny ssh logins for all users that are clones of user 'root' BUT allow ssh login for the "real"(and unique) 'root' user.
I've created the clone by the command:
/usr/sbin/useradd -u 0 -g root -d /root -c "Root Clone" -o -n -r cloneroot
and I use Linux Red Hat:
$ uname -a
Linux
I think that a good (?) solution could be edit '.profile' file in root home and type:
NAME=`logname`
if [ $NAME = cloneroot ]
then
echo "Esco"
read
exit
fi
Is this the unique way to do it? I' ve also read about configuring variable 'PermitRootLogin yes' in '/etc/ssh/sshd_config' file but it doesn't seem to be able to select only root clones.
Any idea? (if it is possible...)
Thanks
- Tags:
- ssh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-25-2005 11:58 PM
тАО01-25-2005 11:58 PM
Re: Deny just ssh root clone logins
One of the first types of hacker attacks is to modify an ordinary user login to have UID=0, thus the reason for the command: logins -d to watch for such hacks. While a clone username may seem unique, it is handled ONCE with the login command which does a simple serial search of the passwd file. From then on, the user is defined as a UID. Commands such as ls -l will NOT show the clone username, it will show the first UID match. Tools like id and usermod will fail because a match is made with the UID, not the username.
A secure system will scan systems for duplicate user IDs on a regular basis as a part of an intrusion detection process.
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-26-2005 02:38 AM
тАО01-26-2005 02:38 AM
Re: Deny just ssh root clone logins
To begin, I would have to say "don't do it"
To answer your question, use the `id` command to check the the username, not the UID.
id -un
This will return the $LOGNAME and not the UID number.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-26-2005 03:08 AM
тАО01-26-2005 03:08 AM
Re: Deny just ssh root clone logins
There should be one root account and if possible under organization rules only the sysadmin should use it.
Limited priviledges can be granted by using the sudo utility.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-26-2005 03:39 AM
тАО01-26-2005 03:39 AM
Re: Deny just ssh root clone logins
But (I'm sorry to say 'but') I still don't know if editing the '.profile' file is the unique way to distingush the user.
Now (thanks Bill) I understood that this way (.profile) is very poor and easy to hack (and I wont use it!).
The command 'logname' display the correct logname (cloneroot) while the 'id' command always returns "uid=0(root)" (as well for 'root' as well for 'cloneroot').
So, even if not prudent, is it possible to distinguish between the real 'root' and its clones during remote login?
I thought there was in 'sshd_config' file something like 'PermitRootLogin root, clone1, clone2' (e.g. denying remote login for 'cloneroot') but it's isn't so.
??
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-26-2005 03:55 AM
тАО01-26-2005 03:55 AM
Re: Deny just ssh root clone logins
root clones = BAD IDEA!
Now that that's out of the way, here's my suggestion. This is hackable (ANYTHING is hackable with root privileges) but I suspect it is much easier to overlook than .profile
In the "Deny ssh root logins, but allow ssh remote commands?" thread, see the big long post by Ralph Grothe, specifically the ~root/.ssh/rc script.
That one had me stumped for hours when I tried to undo his suggestions. It just kept immediately logging me out.
If you put that in the cloneroot's .ssh directory it should have the same effect.
Make sure it's owned by root and has 400 permissions, so they can't see the contents(unless/until they su)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-26-2005 05:05 AM
тАО01-26-2005 05:05 AM
Re: Deny just ssh root clone logins
if [ $LOGNAME = cloneroot )
then
echo "Esco"
read
exit
fi
Note that login sets the environment variable LOGNAME to the result of the /usr/bin/logname command, so you can save the extra assignment statement.
To answer your question, ssh does not provide any method to lockout cloned UID=0 usernames. This must be done in /etc/profile.
Bill Hassell, sysadmin