HPE Community
Operating System - HP-UX
1752810 Members
5720 Online
108789 Solutions
New Discussion юеВ

Re: Deny just ssh root clone logins

 
Mib_2
New Member

тАО01-25-2005 10:29 PM

тАО01-25-2005 10:29 PM

Deny just ssh root clone logins

Hi all, i've a question for anyone could help me.
My question is: Is it possible to deny ssh root clones logins, but allow ssh root login?

I've read the very interesting thread about
"Deny ssh root logins, but allow ssh remote commands?" but my problem is a bit different.
I'd like to deny ssh logins for all users that are clones of user 'root' BUT allow ssh login for the "real"(and unique) 'root' user.

I've created the clone by the command:
/usr/sbin/useradd -u 0 -g root -d /root -c "Root Clone" -o -n -r cloneroot

and I use Linux Red Hat:
$ uname -a
Linux 2.4.22 #1 SMP Mon Jun 23 18:54:03 CEST 2003 i686 unknown

I think that a good (?) solution could be edit '.profile' file in root home and type:

NAME=`logname`
if [ $NAME = cloneroot ]
then
echo "Esco"
read
exit
fi

Is this the unique way to do it? I' ve also read about configuring variable 'PermitRootLogin yes' in '/etc/ssh/sshd_config' file but it doesn't seem to be able to select only root clones.

Any idea? (if it is possible...)
Thanks
0 Kudos
Reply
6 REPLIES 6
Bill Hassell
Honored Contributor

тАО01-25-2005 11:58 PM

тАО01-25-2005 11:58 PM

Re: Deny just ssh root clone logins

Clone (alternate) root logins should NEVER be permitted on a secure system. The concept of a root user is defined by the passwd file, long after ssh or telnet or rlogin have connected to your system. Just like /var/adm/inetd.sec, filtering at the lowlevel TCP/IP is not possible because login is a special program that just happens to be run AFTER a connection is made. And don't put tests about logins in .profile!! A hacker won't use the 'real' root $HOME directory, thus bypassing your .profile. Such tests belong in /etc/profile just after you disable CTRL-C and other escapes.

One of the first types of hacker attacks is to modify an ordinary user login to have UID=0, thus the reason for the command: logins -d to watch for such hacks. While a clone username may seem unique, it is handled ONCE with the login command which does a simple serial search of the passwd file. From then on, the user is defined as a UID. Commands such as ls -l will NOT show the clone username, it will show the first UID match. Tools like id and usermod will fail because a match is made with the UID, not the username.

A secure system will scan systems for duplicate user IDs on a regular basis as a part of an intrusion detection process.


Bill Hassell, sysadmin
0 Kudos
Reply
Rick Garland
Honored Contributor

тАО01-26-2005 02:38 AM

тАО01-26-2005 02:38 AM

Re: Deny just ssh root clone logins

You are making accounts that have duplicate UID=0.

To begin, I would have to say "don't do it"

To answer your question, use the `id` command to check the the username, not the UID.

id -un

This will return the $LOGNAME and not the UID number.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО01-26-2005 03:08 AM

тАО01-26-2005 03:08 AM

Re: Deny just ssh root clone logins

Absolutely not prudent to do this.

There should be one root account and if possible under organization rules only the sysadmin should use it.

Limited priviledges can be granted by using the sudo utility.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Mib_2
New Member

тАО01-26-2005 03:39 AM

тАО01-26-2005 03:39 AM

Re: Deny just ssh root clone logins

First of all, thanks a lot for the appreciate tips.

But (I'm sorry to say 'but') I still don't know if editing the '.profile' file is the unique way to distingush the user.

Now (thanks Bill) I understood that this way (.profile) is very poor and easy to hack (and I wont use it!).
The command 'logname' display the correct logname (cloneroot) while the 'id' command always returns "uid=0(root)" (as well for 'root' as well for 'cloneroot').

So, even if not prudent, is it possible to distinguish between the real 'root' and its clones during remote login?
I thought there was in 'sshd_config' file something like 'PermitRootLogin root, clone1, clone2' (e.g. denying remote login for 'cloneroot') but it's isn't so.

??
0 Kudos
Reply
Gordon Morrison
Trusted Contributor

тАО01-26-2005 03:55 AM

тАО01-26-2005 03:55 AM

Re: Deny just ssh root clone logins

First, I have to agree with the others and say:
root clones = BAD IDEA!

Now that that's out of the way, here's my suggestion. This is hackable (ANYTHING is hackable with root privileges) but I suspect it is much easier to overlook than .profile

In the "Deny ssh root logins, but allow ssh remote commands?" thread, see the big long post by Ralph Grothe, specifically the ~root/.ssh/rc script.
That one had me stumped for hours when I tried to undo his suggestions. It just kept immediately logging me out.
If you put that in the cloneroot's .ssh directory it should have the same effect.
Make sure it's owned by root and has 400 permissions, so they can't see the contents(unless/until they su)
What does this button do?
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО01-26-2005 05:05 AM

тАО01-26-2005 05:05 AM

Re: Deny just ssh root clone logins

As mentioned, you need to edit /etc/profile, not .profile and use the logname command to test how the user logged in, something like this:

if [ $LOGNAME = cloneroot )
then
echo "Esco"
read
exit
fi

Note that login sets the environment variable LOGNAME to the result of the /usr/bin/logname command, so you can save the extra assignment statement.

To answer your question, ssh does not provide any method to lockout cloned UID=0 usernames. This must be done in /etc/profile.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.