Security Info

Abhi123 — Fri, 21 Dec 2007 19:11:12 GMT

Hi All,

We run our Apps shutdown script [e.g. boxB] from DB server [e.g boxA] before the backup script using remote login[rlogin/rsh] without password. As per security audit it's a risk as the remote login is without the password. I am wondering is there any way we can make more secure? We should be able to do the following

1. Stop the application in boxB before the backup on BoxA
2. After backup completion start the application on BoxB

I appreciate your help.

Thx,

Abhijit

Re: Security Info

Hasan Atasoy — Fri, 21 Dec 2007 19:18:49 GMT

hi abhijit ;

i think you are using remsh , using ssh fÄ±r connection will make your connection more secure.

Hasan

Re: Security Info

skt_skt — Sun, 23 Dec 2007 00:55:19 GMT

see the file attahced

Re: Security Info

F Verschuren — Mon, 24 Dec 2007 08:33:31 GMT

ssh is a good first stap, to make it autitable you have to create a acount that is only useble to do just this...
so make sure that no other (personal) users are using this acounts, and to make sure that this user can not do anny thing els, you can use a restricted shell.
If you creat a shell that does the stop/start and than a exit, the user will never get a promt.....

Re: Security Info

Tor-Arne Nostdal — Mon, 24 Dec 2007 13:17:21 GMT

Using ssh is normally considered more secure than using rlogin/remsh/rsh as *** it is more strict for checking the host you're coming from *** .

In your environment with DB-server and Application servers, it is normal to grant the DB-server access to the AS's (and not the other way around) - in order to be able to do proper startup/shutdown for the entire Application.

---
Using ssh is very easy when you first have started using it. Availability depend on which UX release you have. You might need to download and install it separately.

You should use the SSH commands ssh, scp, sftp instead of rsh, rcp, ftp.

For login to the system you should forget telnet and rather use ssh. If you use a PC I can recommend the simple and easy Putty terminal emulator. Note that you normally tunnel X-display through the SSH connection - and this simplifies your DISPLAY setup.
(tunnel X using ssh: ssh -X user@host)
(tunnel X using Putty - separate config check value)
--- back to your question...

Config SSH:
Let's say you have a DB-user named {sid}adm

root@BoxA# su - {sid}adm
{sid}adm> ssh-keygen
Generating public/private rsa key pair.
Please be patient.... Key generation may take a few minutes
Enter file in which to save the key (/home/{sid}adm/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/{sid}adm/.ssh/id_rsa.
Your public key has been saved in /home/{sid}adm/.ssh/id_rsa.pub.
The key fingerprint is:
15:7a:8e:c7:b7:3f:dd:c8:72:cb:b8:3f:ea:22:2b:85 {sid}adm@BoxA
{sid}adm> # backup copy of public key
{sid}adm> cp -p id_rsa.pub id{sid}adm.pub
{sid}adm> # backup copy of private key
{sid}adm> cp -p id_rsa id{sid}adm-privkey
NB! Do not enter a passphrase - as this would lead to a prompt for password.
The reason for backup copy - is to avoid being enforced to distribute new keys if someone should run ssh-keygen by mistake and overwrite your keys...

The ~/.ssh/id_rsa is the Private key for your {sid}adm user (and should be secured - default permission 600)
The id_rsa.pub is the Public part of this keypair, and is the key you must copy to BoxB. A host can use this key to verify that you are really {sid}adm from BoxA.

Configuring BoxB:
1)install SSH if not already present)

(nb! user can be any user you want to grant {sid}adm@BoxA access to without password)
user@BoxB> cd ~/.ssh/
user@BoxB> scp {sid}adm@BoxA:~/.ssh/id_rsa.pub ./id_{sid}adm_BoxA
user@BoxB> cat ./id_{sid}adm_BoxA >> ./authorized_keys
(nb! sometimes the file is named authorised_keys2)

Now you should be able to make a connection from {sid}adm@BoxA to user@BoxB
Try:
{sid}adm@BoxA> ssh user@BoxB ll

Check the syslog if you get errors.
Read manpages and documentation for defining security-levels for SSH.

---- Also keep in mind ----
If you run your DB-server in MC/SG cluster, you might need to generate a key (ssh-keygen) for each node, and add each of these keys to the user@BoxB's authorized_keys file.

Have a nice Christmas and a Happy New (secured) Year :-)

/Tor-Arne

Re: Security Info

Abhi123 — Thu, 27 Dec 2007 17:15:28 GMT

Hello All,

I really appreciate for all the suggestion.

I will work on the ssh[public/private key] which looks to me more secure than what we have now.

Thank you once again and wish a happy new year to you and your family.

With warm regards,

Abhijit

topic Security Info in Operating System - HP-UX

Security Info

Re: Security Info

Re: Security Info

Re: Security Info

Re: Security Info

Re: Security Info