topic Re: Deny just ssh root clone logins in Operating System - HP-UX

Deny just ssh root clone logins

Mib_2 — Wed, 26 Jan 2005 06:29:19 GMT

Hi all, i've a question for anyone could help me.
My question is: Is it possible to deny ssh root clones logins, but allow ssh root login?

I've read the very interesting thread about
"Deny ssh root logins, but allow ssh remote commands?" but my problem is a bit different.
I'd like to deny ssh logins for all users that are clones of user 'root' BUT allow ssh login for the "real"(and unique) 'root' user.

I've created the clone by the command:
/usr/sbin/useradd -u 0 -g root -d /root -c "Root Clone" -o -n -r cloneroot

and I use Linux Red Hat:
$ uname -a
Linux 2.4.22 #1 SMP Mon Jun 23 18:54:03 CEST 2003 i686 unknown

I think that a good (?) solution could be edit '.profile' file in root home and type:

NAME=`logname`
if [ $NAME = cloneroot ]
then
echo "Esco"
read
exit
fi

Is this the unique way to do it? I' ve also read about configuring variable 'PermitRootLogin yes' in '/etc/ssh/sshd_config' file but it doesn't seem to be able to select only root clones.

Any idea? (if it is possible...)
Thanks

Re: Deny just ssh root clone logins

Bill Hassell — Wed, 26 Jan 2005 07:58:47 GMT

Clone (alternate) root logins should NEVER be permitted on a secure system. The concept of a root user is defined by the passwd file, long after ssh or telnet or rlogin have connected to your system. Just like /var/adm/inetd.sec, filtering at the lowlevel TCP/IP is not possible because login is a special program that just happens to be run AFTER a connection is made. And don't put tests about logins in .profile!! A hacker won't use the 'real' root $HOME directory, thus bypassing your .profile. Such tests belong in /etc/profile just after you disable CTRL-C and other escapes.

One of the first types of hacker attacks is to modify an ordinary user login to have UID=0, thus the reason for the command: logins -d to watch for such hacks. While a clone username may seem unique, it is handled ONCE with the login command which does a simple serial search of the passwd file. From then on, the user is defined as a UID. Commands such as ls -l will NOT show the clone username, it will show the first UID match. Tools like id and usermod will fail because a match is made with the UID, not the username.

A secure system will scan systems for duplicate user IDs on a regular basis as a part of an intrusion detection process.

Re: Deny just ssh root clone logins

Rick Garland — Wed, 26 Jan 2005 10:38:26 GMT

You are making accounts that have duplicate UID=0.

To begin, I would have to say "don't do it"

To answer your question, use the `id` command to check the the username, not the UID.

id -un

This will return the $LOGNAME and not the UID number.

Re: Deny just ssh root clone logins

Steven E. Protter — Wed, 26 Jan 2005 11:08:49 GMT

Absolutely not prudent to do this.

There should be one root account and if possible under organization rules only the sysadmin should use it.

Limited priviledges can be granted by using the sudo utility.

SEP

Re: Deny just ssh root clone logins

Mib_2 — Wed, 26 Jan 2005 11:39:53 GMT

First of all, thanks a lot for the appreciate tips.

But (I'm sorry to say 'but') I still don't know if editing the '.profile' file is the unique way to distingush the user.

Now (thanks Bill) I understood that this way (.profile) is very poor and easy to hack (and I wont use it!).
The command 'logname' display the correct logname (cloneroot) while the 'id' command always returns "uid=0(root)" (as well for 'root' as well for 'cloneroot').

So, even if not prudent, is it possible to distinguish between the real 'root' and its clones during remote login?
I thought there was in 'sshd_config' file something like 'PermitRootLogin root, clone1, clone2' (e.g. denying remote login for 'cloneroot') but it's isn't so.

??

Re: Deny just ssh root clone logins

Gordon Morrison — Wed, 26 Jan 2005 11:55:08 GMT

First, I have to agree with the others and say:
root clones = BAD IDEA!

Now that that's out of the way, here's my suggestion. This is hackable (ANYTHING is hackable with root privileges) but I suspect it is much easier to overlook than .profile

In the "Deny ssh root logins, but allow ssh remote commands?" thread, see the big long post by Ralph Grothe, specifically the ~root/.ssh/rc script.
That one had me stumped for hours when I tried to undo his suggestions. It just kept immediately logging me out.
If you put that in the cloneroot's .ssh directory it should have the same effect.
Make sure it's owned by root and has 400 permissions, so they can't see the contents(unless/until they su)

Re: Deny just ssh root clone logins

Bill Hassell — Wed, 26 Jan 2005 13:05:42 GMT

As mentioned, you need to edit /etc/profile, not .profile and use the logname command to test how the user logged in, something like this:

if [ $LOGNAME = cloneroot )
then
echo "Esco"
read
exit
fi

Note that login sets the environment variable LOGNAME to the result of the /usr/bin/logname command, so you can save the extra assignment statement.

To answer your question, ssh does not provide any method to lockout cloned UID=0 usernames. This must be done in /etc/profile.