- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Deny ssh root logins, but allow ssh remote command...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2005 03:13 AM
01-19-2005 03:13 AM
/etc/securetty will prevent telnet logins as root, if it contains the line "console" and nothing else, but this does NOT prevent root remsh commands if /.rhosts is set up to allow it.
I want to know if the same type of thing is possible using ssh:
I want to deny root logins, but I want to allow remote ssh commands to be run as root (preferably only from one particular central admin server, if possible)
I am in the process of devising a plan to beef up security on our HP-UX systems, and I want to disable root logins, thus forcing people to login as themselves, then use su if/when they need root permissions, so we have an audit trail.
But I also want to run various scripts (on a central server) that collect info from all the others, both for monitoring purposes, and to collect up-to-date configuration info in case of disaster.
I know that setting "PermitRootLogin no" in sshd_config will prevent root logins, but it also prevents remote commands from my scripts.
It would be acceptable to permit root logins only from the central admin server (and the console, obviously). All systems are running HP-UX
Thanks in anticipation.
Solved! Go to Solution.
- Tags:
- ssh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2005 03:30 AM
01-19-2005 03:30 AM
Re: Deny ssh root logins, but allow ssh remote commands?
Example, root can scp files to another system but will login as the other user in the SSH utility. PermitRootLogin no works on the scp, sftp, and other SSH utilities as well. Been trying to play with .shosts as well to no avail.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2005 03:50 AM
01-19-2005 03:50 AM
Re: Deny ssh root logins, but allow ssh remote commands?
Just get everybody to use certificates (even putty handles them) and disable password-based logins.
Unless somebody knows how to do it. It would be great if ;)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2005 06:37 AM
01-19-2005 06:37 AM
Re: Deny ssh root logins, but allow ssh remote commands?
Attached is my usual document on how to do this.
Chris
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2005 05:53 PM
01-19-2005 05:53 PM
Re: Deny ssh root logins, but allow ssh remote commands?
this is een example how inetd.sec looks by us
login deny
shell deny
exec deny
registrar allow xx.xxx.xx.xx
ftp allow xx.xx.xx.xxx\
xx.xx.xx.xxx\
now you can leave the entry in the sshd_config.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2005 09:35 PM
01-19-2005 09:35 PM
Re: Deny ssh root logins, but allow ssh remote commands?
command="/usr/bin/bart create -r -" ssh-dss AAAAB3NzaC1kc3MAAACBAJ6zG8SJtQVi/Et OugyktNssLVofLmUepqsh712+D1AObTwRWZwjSH4hE423U3AcfY99u9ZxsdJ0sEpqnnvXmKaym7pMgk NxMCPoPcnf4mAIcx9IQkpotAiCbCQ+My5lFD4iW4Nxjqh6KwIecEaABcpg2x5nhaX8Bsx0XURO/f+jA AAAFQCD6dOAM1JunvUeCWNpXoB6tLyLewAAAIAXya1UPijNFIjymsJ0gjQXyCgll8/tORHy2vrloH7v gh9RJ9YNRWSZZjyRvLlKTd4KFIfcjT43WlVWJKa/A7l14DGntoTS+dRh4MohJXdUjYMvV+OODc1j8V2 p+JWbbHlqDxa+zAuFEskoWNPmBrTnbLNzamIPnQ7ZaqWsbWuePQAAAIEAmqlCaMfuFYWlvDHeak79Fm xHJjRLqmvRwlPPtkW8XDuF8wn8lj/+glWWY6/VJVtbfgteZLweotdM2wvdfXNqROiU9vvlylOdv29iA DxsSlPGSrjXkbkNGQXMHTgPQmfbDhmtpnM6occl2R+J8dpDT59zWV7+egNZ0TTV8GNnmng= gmb@manager
For more details see: http://www.securitydocs.com/library/2649
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2005 10:18 PM
01-19-2005 10:18 PM
Re: Deny ssh root logins, but allow ssh remote commands?
I have already set up ssh with and authorized_keys file on a couple of test systems, to allow passwordless logins from the admin server, and I run daily/weekly scripts on the admin server which execute remote remsh/ssh commands on all servers to collect system info for monitoring purposes, and also to keep a historical record of configurations for DR purposes. Some of these commands must be run under root.
I want to keep using these scripts after we convert all systems to ssh and disable inetd, but I do NOT want anyone to login directly as root (not even with a password) from any other place except the console. If there's no other way, it would be acceptible to allow root logins from the admin server as well, but not from anywhere else, even with a password.
Is there a way to either:
1) Block all root logins, but specify 1 or more exceptions, where root CAN login from?
2) Create a "blacklist" (hopefully allowing wildcards) to specify where root CANNOT login from?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2005 10:25 PM
01-19-2005 10:25 PM
Re: Deny ssh root logins, but allow ssh remote commands?
The following test will check that. Prepare the /etc/hosts.deny as follows
ALL:ALL
(the first is the service name and second is the host/nw etc.)
Now, try to telnet/ssh and it will not work.
This will confirm that tcp wrappers is in built. Then prepare the /etc/hosts.allow file to allow logins from selective hosts/networks.
Also set sshd to start from inetd.conf.
Anil
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2005 10:45 PM
01-19-2005 10:45 PM
Re: Deny ssh root logins, but allow ssh remote commands?
If you create a different key for root and just distribute that to the admin server then only that server has interactive access via this key. Set the key options to "rootlogin = keyonly" to deny passwd login. Finally distribute a separate root key and then make it captive so that it only runs your scripts.
sshd_config has variables for limiting hosts, users, and groups.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2005 10:56 PM
01-19-2005 10:56 PM
Re: Deny ssh root logins, but allow ssh remote commands?
Unfortunately, specifying ALL:ALL in /etc/hosts.deny denies ALL users from logging in - not just root, no matter what's in hosts.allow.
I can't find a man page for hosts.allow or hosts.deny, and man hosts just covers /etc/hosts.
Is there a way to specify individual users in /etc/hosts.deny?
I tried a blank hosts.deny file, and just the admin server in /etc/hosts.allow, but that lets me in from other hosts as well.
Also, you say that the format of these files is HOST:NETWORK
Does specifying a network mean that users on any host on that network can login? Can I just specify 1 host that root can login from, and allow other users to login from anywhere?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2005 11:15 PM
01-19-2005 11:15 PM
Re: Deny ssh root logins, but allow ssh remote commands?
The document in the link you supplied seems to be specific to Solaris. As these are HP systems, I'm not sure how applicable it would be here. I couldn't find bart on software.hp.com.
I'll definitely look into the sshd_config options you mentioned. Where should "rootlogin=keyonly" be specified?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2005 03:30 AM
01-20-2005 03:30 AM
Re: Deny ssh root logins, but allow ssh remote commands?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2005 04:30 AM
01-20-2005 04:30 AM
Re: Deny ssh root logins, but allow ssh remote commands?
PermitRootLogin forced-commands-only
in the sshd_config man page. This will allow scripts to be run, but no interactive logins. (useful in combination with some of the options available to limit on a per host basis)
If you disallow keyboard-interactive logins (only allow key-based logins), then you can keep the private key on the admin server and not give it out to any of those other users. Put only that public key in your authorized_keys file.
For ssh_config, you can set options on a per host basis ('Host' keyword). I was thinking there was something similar for sshd_config, but can't find any reference to it right now :(
Hope that helps.
-Keith
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2005 08:50 PM
01-20-2005 08:50 PM
Re: Deny ssh root logins, but allow ssh remote commands?
I'm still beating my head against a brick wall. Unfortunately, putting "ALL:ALL" in /etc/hosts.deny doesn't let anyone in, anyhow, no matter what's in /etc/hosts.allow.
As far as I've been able to tell, /etc/hosts.allow doesn't have any effect at all.
I have tried "PermitRootLogin forced-commands-only" and it seems to have the same effect as "ALL:ALL" in /etc/hosts.deny
AAARGH!
There must be something blatantly obvious that I'm overlooking. In the hope that one of you can spot it, some additional info:
Here's the version info from the admin server:
root@choprd12:/home/gm/tmp > uname -a
HP-UX choprd12 B.11.00 U 9000/800 633379302 unlimited-user license
root@choprd12:/home/gm/tmp > swlist -l product|grep -i secure
Secure_Shell A.03.81.002 HP-UX Secure Shell
and the crash&burn test system:
root@chounix:/opt/ssh/etc # uname -a
HP-UX chounix B.11.00 A 9000/819 63630342 two-user license
root@chounix:/opt/ssh/etc # swlist -l product|grep -i secure
Secure_Shell A.03.81.002 HP-UX Secure Shell
I'm attaching the sshd_config file. I have not modified ssh_config.
Again, your help is greatly appreciated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2005 08:59 PM
01-20-2005 08:59 PM
Re: Deny ssh root logins, but allow ssh remote commands?
sshd : 12.202.30.x, xx.yy.dd.cc
The addresses put here will not be allowed access to the ssh.
In sddition to this, Keith has given a good point. It lokks like the one that you are looking for. This option when set will not allow ssh logins, but scripts set with ssh will run.
Anil
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2005 09:53 PM
01-20-2005 09:53 PM
Re: Deny ssh root logins, but allow ssh remote commands?
PermitRootLogins forced-commands-only
in sshd_config just seems to block everything from root, including scripted commands. (hosts.deny is now blank)
I only want to prevent root logins - ordinary users need access from all over the place.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2005 11:40 PM
01-20-2005 11:40 PM
SolutionSee: http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5&arch=&apropos=0&manpath=OpenBSD+Current for more details.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2005 11:56 PM
01-20-2005 11:56 PM
Re: Deny ssh root logins, but allow ssh remote commands?
Set PermitRootLogins forced-commands-only and set root to do authentication by method of exchange of public/private keys. (use of authorized_keys file)
Anil
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2005 01:26 AM
01-21-2005 01:26 AM
Re: Deny ssh root logins, but allow ssh remote commands?
I experimented a little because I was teased by your wee problem.
I came up with this poor man's "wrapper" one can devise with just the standard SSH features, and that at least works in our environment.
You may want to give it a try if it works with your settings as well.
Yes, it proved right that PermitRootLogin has to be enabled for anything to work.
But then I thought about the options in authorized_keys and had a little read in man sshd
So I did the following.
First I set these for the sshd where I want this to work
# grep ^Permit /opt/ssh/etc/sshd_config
PermitRootLogin yes
PermitUserEnvironment yes
Then I sent sshd a SIGHUP to make these settings valid
# kill -1 $(cat /var/run/sshd.pid)
Then on the sshd server I wrote this little script in root's $HOME/.ssh
(even needs not be executable)
# cat ~root/.ssh/rc
if [[ $KICKOUT_GRACE != 1 ]]; then
export UNIX95=
ppid=$(ps -o ppid= -p $$)
until [[ $ppid = 1 ]]; do
set -- $(ps -o pid= -o ppid= -p $ppid)
sshd_pid=$pid
pid=$1; ppid=$2
done
kill $sshd_pid
#ps -fp $sshd_pid|mailx -s test ralph.grothe@our-rotten.com
fi
On the ssh client side I generated a new DSA key (you may as well use RSA as cipher, I cling to DSA for patent reasons) under the account that needs to run nothing but root commands on the sshd server that I prepared above.
$ ssh-keygen -t dsa -b 1024 -N "" -f .ssh/id_dsa_root_gouda
I saved it to a separat file not to confuse with my other keys.
Then I edited the public key of this pair and prepended the following options to that key
$ sed 's/^\(.*\) ssh-dss.*/\1/' .ssh/id_dsa_root_gouda.pub
environment="KICKOUT_GRACE=1",command="/usr/bin/hostname && /usr/bin/uptime"
I then copied this public key file to gouda and appended it to root's authorized_keys
$ ssh root@gouda cat \>\>.ssh/authorized_keys < .ssh/id_dsa_root_gouda.pub
Now who ever tries an ssh login or remote command who doesn't posses the specially prepared DSA key gets kicked out.
But when I use this key I can run the commands specified in the command options.
e.g.
$ ssh root@gouda hostname\;who
Password:
Connection to gouda closed by remote host.
From another host
# ssh gouda
Password:
Last login: Fri Jan 21 15:15:07 2005 from themis.srz.lit.
Connection to gouda closed by remote host.
Connection to gouda closed.
But using the DSA key
$ ssh root@gouda -i .ssh/id_dsa_root_gouda
gouda
3:18pm up 74 days, 18:04, 4 users, load average: 0.55, 0.58, 0.60
Connection to gouda closed.
If you are sick of specifying the DSA key each time on the command line you could as well place it in the client's personal ssh config file.
e.g.
$ cat .ssh/config
Host gouda
User root
IdentityFile ~/.ssh/id_dsa_root_gouda
Host *
Protocol 2,1
IdentityFile ~/.ssh/saz_id_rsa
IdentityFile ~/.ssh/saz_id_dsa
IdentityFile ~/.ssh/saz_identity
User saz
Note, to place default options in a general Host match (*) at the end of this file.
Then all I need to do is
$ ssh gouda
gouda
3:22pm up 74 days, 18:08, 4 users, load average: 0.55, 0.57, 0.59
Connection to gouda closed.
I bet there are more tricks in stock.
Go and read man sshd, sshd_config, ssh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2005 01:39 AM
01-21-2005 01:39 AM
Re: Deny ssh root logins, but allow ssh remote commands?
the distribution of the new key's pub file of course needs to be done before the rc script in ~root/.ssh on the sshd server is in place.
Otherwise it would be too late to get the ssh command through ;-)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2005 01:43 AM
01-21-2005 01:43 AM
Re: Deny ssh root logins, but allow ssh remote commands?
I must have misunderstood something somewhere along the line. I've seen that man page, but I thought "...but only if the command option has been specified" meant that ssh had to be called with a command, i.e. "ssh
Are you saying that the command has to be specified in the authorized_keys file? How many commands can go in there? I'm using dozens of them in my scripts.
Andrew & Anil: These are the sort of commands I'm using:
uname -a
model
uptime
who -b
bdf
lanscan
ifconfig (on all interfaces found)
netstat -rn
netstat -in
ioscan
diskinfo (one on each disk found)
cat (various system, config & startup files)
grep (various strings in various log files)
tail (various logs)
vgdisplay -v
lvdisplay (on all LV's found)
lvlnboot -v
ls (to find devices)
sysdef
ps -ef
who -u
swlist -R
plogins
...
The list goes on. All basic stuff, but maintaining such a list (I have been known to "tweak" the scripts) in authorized_keys on all of our servers could be problematic. Also, I would rather not have to keep changing authorized_keys, as checking its datestamp & checksum is one one of the enhancements I had planned for the monitoring script.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2005 02:13 AM
01-21-2005 02:13 AM
Re: Deny ssh root logins, but allow ssh remote commands?
I've only ever experimented with having a single command per key, however as I said in my earlier answer, you could write a wrapper script that displays a list of valid choices via a menu when you login with the key, and this would give a captive root user.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2005 02:22 AM
01-21-2005 02:22 AM
Re: Deny ssh root logins, but allow ssh remote commands?
Wow! you must have typed all that while I was typing my last post, as I just saw it. There's a lot in there to wrap my head around, so I'll have to try it out and get back to you later.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2005 02:40 AM
01-21-2005 02:40 AM
Re: Deny ssh root logins, but allow ssh remote commands?
It looks like you've been trying to tell me tha same thing as Ralph - sorry for not seeing that earlier.
I suspect I'll find that ssh won't let me do exactly what I want, but I've just realised that if this is the case, I could still run my scripts locally, then use ssh with forced-command-only to scp the output files back to the admin host.
I'll let you all know how I get on, and give credit where it's due.
Thanks for all your help!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2005 03:11 AM
01-21-2005 03:11 AM
Re: Deny ssh root logins, but allow ssh remote commands?
that was pretty idiotic by me trying to "reinvent" things.
I simply overlooked the other possible values for PermitRootLogin
(because I was refering to man sshd instead of man sshd_config)
Now having read man sshd_config I see that setting PermitRootLogin to forced-commands-only seems what you require.
Sorry for the waste of bandwidth (but at least it worked ;-)