HPE Community
Operating System - HP-UX
1755691 Members
3344 Online
108837 Solutions
New Discussion юеВ

Deny ssh root logins, but allow ssh remote commands?

 
SOLVED
Go to solution
Gordon Morrison_1
Regular Advisor

тАО01-19-2005 03:13 AM

тАО01-19-2005 03:13 AM

Deny ssh root logins, but allow ssh remote commands?

I know this is a tall order, but max points to anyone who can help.

/etc/securetty will prevent telnet logins as root, if it contains the line "console" and nothing else, but this does NOT prevent root remsh commands if /.rhosts is set up to allow it.

I want to know if the same type of thing is possible using ssh:
I want to deny root logins, but I want to allow remote ssh commands to be run as root (preferably only from one particular central admin server, if possible)
I am in the process of devising a plan to beef up security on our HP-UX systems, and I want to disable root logins, thus forcing people to login as themselves, then use su if/when they need root permissions, so we have an audit trail.
But I also want to run various scripts (on a central server) that collect info from all the others, both for monitoring purposes, and to collect up-to-date configuration info in case of disaster.
I know that setting "PermitRootLogin no" in sshd_config will prevent root logins, but it also prevents remote commands from my scripts.

It would be acceptable to permit root logins only from the central admin server (and the console, obviously). All systems are running HP-UX

Thanks in anticipation.
What does this button do?
0 Kudos
26 REPLIES 26
Rick Garland
Honored Contributor

тАО01-19-2005 03:30 AM

тАО01-19-2005 03:30 AM

Re: Deny ssh root logins, but allow ssh remote commands?

I had asked a similar question just a little while ago. The answer I got was to set authorizations for another user.

Example, root can scp files to another system but will login as the other user in the SSH utility. PermitRootLogin no works on the scp, sftp, and other SSH utilities as well. Been trying to play with .shosts as well to no avail.

0 Kudos
Florian Heigl (new acc)
Honored Contributor

тАО01-19-2005 03:50 AM

тАО01-19-2005 03:50 AM

Re: Deny ssh root logins, but allow ssh remote commands?

IF I am right, You can use the ssh authorized_keys file to set additional parameters but I never found a good documentation to that. Still, this might be the way to go if I had to.
Just get everybody to use certificates (even putty handles them) and disable password-based logins.

Unless somebody knows how to do it. It would be great if ;)
yesterday I stood at the edge. Today I'm one step ahead.
0 Kudos
Chris Vail
Honored Contributor

тАО01-19-2005 06:37 AM

тАО01-19-2005 06:37 AM

Re: Deny ssh root logins, but allow ssh remote commands?

AFAIK, there's no direct way around your problem. If you set PermitRootLogin=no, then root will not be able to login using ssh in any way, shape or form. Also blocked will be scp and sftp. You're better off with your second idea, which is to authenticate root sessions only from a central server or "god box".

Attached is my usual document on how to do this.

Chris
0 Kudos
Mark Nieuwboer
Esteemed Contributor

тАО01-19-2005 05:53 PM

тАО01-19-2005 05:53 PM

Re: Deny ssh root logins, but allow ssh remote commands?

To prevent root logins we use /etc/not_loginable in this file we put all system users. futher more you can use /var/adm/inetd.sec to allow or deny services see the manpages.
this is een example how inetd.sec looks by us
login deny
shell deny
exec deny
registrar allow xx.xxx.xx.xx
ftp allow xx.xx.xx.xxx\
xx.xx.xx.xxx\
now you can leave the entry in the sshd_config.
0 Kudos
Andrew Cowan
Honored Contributor

тАО01-19-2005 09:35 PM

тАО01-19-2005 09:35 PM

Re: Deny ssh root logins, but allow ssh remote commands?

You can use ssh captive logins with keys. Its a bit difficult to maintain so instead of having individual commands you can use a key to activate a script that has a list of valid commands that it will execute. The format of the authorized_key file is as follows:

command="/usr/bin/bart create -r -" ssh-dss AAAAB3NzaC1kc3MAAACBAJ6zG8SJtQVi/Et OugyktNssLVofLmUepqsh712+D1AObTwRWZwjSH4hE423U3AcfY99u9ZxsdJ0sEpqnnvXmKaym7pMgk NxMCPoPcnf4mAIcx9IQkpotAiCbCQ+My5lFD4iW4Nxjqh6KwIecEaABcpg2x5nhaX8Bsx0XURO/f+jA AAAFQCD6dOAM1JunvUeCWNpXoB6tLyLewAAAIAXya1UPijNFIjymsJ0gjQXyCgll8/tORHy2vrloH7v gh9RJ9YNRWSZZjyRvLlKTd4KFIfcjT43WlVWJKa/A7l14DGntoTS+dRh4MohJXdUjYMvV+OODc1j8V2 p+JWbbHlqDxa+zAuFEskoWNPmBrTnbLNzamIPnQ7ZaqWsbWuePQAAAIEAmqlCaMfuFYWlvDHeak79Fm xHJjRLqmvRwlPPtkW8XDuF8wn8lj/+glWWY6/VJVtbfgteZLweotdM2wvdfXNqROiU9vvlylOdv29iA DxsSlPGSrjXkbkNGQXMHTgPQmfbDhmtpnM6occl2R+J8dpDT59zWV7+egNZ0TTV8GNnmng= gmb@manager

For more details see: http://www.securitydocs.com/library/2649
0 Kudos
Gordon Morrison_1
Regular Advisor

тАО01-19-2005 10:18 PM

тАО01-19-2005 10:18 PM

Re: Deny ssh root logins, but allow ssh remote commands?

Thanks for all the replies, but I think I should clarify:

I have already set up ssh with and authorized_keys file on a couple of test systems, to allow passwordless logins from the admin server, and I run daily/weekly scripts on the admin server which execute remote remsh/ssh commands on all servers to collect system info for monitoring purposes, and also to keep a historical record of configurations for DR purposes. Some of these commands must be run under root.
I want to keep using these scripts after we convert all systems to ssh and disable inetd, but I do NOT want anyone to login directly as root (not even with a password) from any other place except the console. If there's no other way, it would be acceptible to allow root logins from the admin server as well, but not from anywhere else, even with a password.

Is there a way to either:
1) Block all root logins, but specify 1 or more exceptions, where root CAN login from?
2) Create a "blacklist" (hopefully allowing wildcards) to specify where root CANNOT login from?

Thanks
What does this button do?
0 Kudos
RAC_1
Honored Contributor

тАО01-19-2005 10:25 PM

тАО01-19-2005 10:25 PM

Re: Deny ssh root logins, but allow ssh remote commands?

tcp wrappers. If you have hp ssh version installed, it has tcp wrappers built into it.

The following test will check that. Prepare the /etc/hosts.deny as follows

ALL:ALL

(the first is the service name and second is the host/nw etc.)

Now, try to telnet/ssh and it will not work.
This will confirm that tcp wrappers is in built. Then prepare the /etc/hosts.allow file to allow logins from selective hosts/networks.
Also set sshd to start from inetd.conf.

Anil
There is no substitute to HARDWORK
0 Kudos
Andrew Cowan
Honored Contributor

тАО01-19-2005 10:45 PM

тАО01-19-2005 10:45 PM

Re: Deny ssh root logins, but allow ssh remote commands?

You can use my captive command keys to run the command/scripts.

If you create a different key for root and just distribute that to the admin server then only that server has interactive access via this key. Set the key options to "rootlogin = keyonly" to deny passwd login. Finally distribute a separate root key and then make it captive so that it only runs your scripts.

sshd_config has variables for limiting hosts, users, and groups.
0 Kudos
Gordon Morrison_1
Regular Advisor

тАО01-19-2005 10:56 PM

тАО01-19-2005 10:56 PM

Re: Deny ssh root logins, but allow ssh remote commands?

Thanks Anil, that's a step in the right direction (I didn't realise TCP-Wrappers was built-in to HP-UX SSH, and didn't realise that ssh used hosts.allow or hosts.deny)
Unfortunately, specifying ALL:ALL in /etc/hosts.deny denies ALL users from logging in - not just root, no matter what's in hosts.allow.
I can't find a man page for hosts.allow or hosts.deny, and man hosts just covers /etc/hosts.
Is there a way to specify individual users in /etc/hosts.deny?
I tried a blank hosts.deny file, and just the admin server in /etc/hosts.allow, but that lets me in from other hosts as well.

Also, you say that the format of these files is HOST:NETWORK
Does specifying a network mean that users on any host on that network can login? Can I just specify 1 host that root can login from, and allow other users to login from anywhere?
What does this button do?
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.