Security :: Centralized Authorized_keys (AuthorizedKeysFile) For Sshd
Mar 9, 2010
I have a RHEL server with users logging in via ssh. I want to start using public keys instead of passwords with ssh. But public key is as good as a rotten tomato if it is unpassphrased and I cannot guarantee that all users will use passphrases. Therefore I will generate both private and public key on the server and will distribute the private key to the user via user-friendly web interface and thats where I will force them to use passphrase. I know they can change later the passphrase or remove it totally but my users are not so advanced.
So now I am trying to setup a centralized authorized_keys file with to be able to make them only root writable so they cannot put their own public keys on the server , it will be handled by scripts. Now the actual problem. I created /etc/ssh/keys directory instead of ~/.ssh and changed AuthorizedKeysFile to /etc/ssh/keys/%u in sshd_config But when I try to connect with the key I get the following error in the logs (after enabling DEBUG3 in sshd_config)
<CUT>
Mar 8 15:22:28 stagesmpp sshd[12248]: debug3: mm_request_receive entering
Mar 8 15:22:29 stagesmpp sshd[22358]: debug2: channel 0: rcvd adjust 33544
Mar 8 15:22:30 stagesmpp sshd[12248]: debug3: monitor_read: checking request 20
[code]...
View 2 Replies
ADVERTISEMENT
Mar 24, 2011
- we have a bunch of linux servers.
- lots of users work with linux Desktops. They use them as testing servers.
- All the infrastructure has the Authentication services linked by Quest Auth Services againts an AD. This gives us the option of logon scripts, startup scripts, and other things.
- One interesting option this Quest thing gives us is SUDO management. We can edit sudoers file by GPO politics.
- Now we are deploying a NAS server from Hitachi with cifs and NFS mapping capabilities.
- Servers are managed by IT, so nobody can go root except us.
- Desktop users will also mount the NFS shares so they will be able to work with real data and read their own data from servers.
- Desktop users can go sudo su.
- If desktop users go from root to another user, the NFS let them work as they where the other user.
I would like to keep them from swithching users, but only between AD users, they must be able to switch to apache user or postgres user.
View 4 Replies
View Related
Mar 9, 2011
I want to enable sshd from Internet, but I want to secure it as much as possible.Therefore, despite the fact that the service will run on a tcp port above 2000 to prevent most scans, I would like to :- First, force the use of a client certificate, to avoid brute force attack on my users/passwords- second force the use of a username/password to avoid someone having access to my system just by stealing my key..When I look at the configuration, it's possible to enable both, but one of them is sufficient to login, but I can't find how to make them both mandatory...
View 2 Replies
View Related
Nov 4, 2010
Quick explanation about what this thread is: by way of an article featured on linuxtoday, I learned about what appears to be an actively managed IP blacklist: [URL]
# This is a compiled list of dirty hosts associated with
# bruteforcing attempts, spam, botnets, RBN and the list
# continues to grow. The data is comprised of information
# compiled from Arbor Networks, Project Honeypot, FIRE
# (maliciousnetwork.org), Host Exploit, Shadowserver and
# a variety of other similarly based sites.
Quick explanation about what this thread is not: this is not intended to be a discussion about default deny vs. default allow (i.e. whitelists vs. blacklists), nor is this a call for enumerations of your own sshd hardening strategy. Please try to keep on point. That said, can anyone speak to the quality of the blacklist information noted above? And/or are there any suggestions for a readily available blacklist of "known better" quality? I plan to try including an actively maintained blacklist like this into a multi-layered approach for hardening an sshd bastion host.
View 4 Replies
View Related
May 11, 2011
I am running a fresh installation of RHEL 6 box and it shipped with Openssh 5.3.But, /etc/ssh/moduli file doesn't exist even in this new installation and the SSH log warns as below:PHP Code:WARNING: /etc/ssh/moduli does not exist, using fixed modulusDoes this imply that it is using the same random number for key exchange purpose ? Also, does it impose any security risks
View 2 Replies
View Related
Feb 18, 2011
I have an sshd server up and running (F13 64bit) I'd like to connect to a pc that's behind a firewall using ssh tunnelling, so I have something like
ssh -R 1234:127.0.0.1:22 myuser@mypc
then from mypc I can succesfully login to the remote pc. I have just une question. How can I list the ssh active connections and the forwarded ports ?
I've only got to
netstat -tunva
but this returns only (filtered)
tcp 0 0 127.0.0.1:1234 0.0.0.0:* LISTEN
tcp 0 0 ::ffff:172.16.0.XXX:22 ::ffff:172.16.1.XXX:60744 ESTABLISHED
Now I know that the first is the tunnel end but how can I connect the two lines if I don't know the port number (ie: someone else estabilieshes another tunnel)
View 4 Replies
View Related
Jan 18, 2010
I'm having troubles trying to understand this problem:my homeserver until yesterday had a public IP, staying on network, with sshd running and all was fine;this evening I changed the IP, giving it a local lan address, and what happened if I tried to connect to it by ssh?I got an error about "Connection closed by remote host". Google helped me finding that was regarded to hosts.deny file, that was actually containing a lineALL:ALLthat I commented, and all was fine.My question is: why the hosts.deny (that has never changed) was observed only with the local IP?I tried to switch back to the public IP and leaving ALL:ALL, and it did connect without any problem
View 1 Replies
View Related
Feb 9, 2011
What is happening when I log in to my Ubuntu server machine via ssh and putty. trying to understand everything, primarily securing my server.
I have specified the ssh server to listen on port 5525, and can login without a problem.
When I look at the logs though it says I connected from xxx.xx.xx.xx on port 53602.
What is happening here and why is the logged connection a different port to the one specified in the config file?
View 1 Replies
View Related
Jun 11, 2011
I've been using ssh for a LONG time to connect my laptop to my desktop with no problems. I use a non-standard port (nnnnn) and keys. After a power outage that caused a shutdown and reboot, I can no longer ssh into the desktop. The only changes I've made are updates (laptop and desktop both running ubuntu 10.04).
$ ssh -p nnnnn Desktop
ssh: connect to host Desktop port nnnnn: Connection refused
No messages are generated in any of the logs on Desktop!
$ /usr/sbin/sshd -T
port nnnnn
protocol 2
addressfamily any
listenaddress 0.0.0.0:12023
listenaddress [::]:12023 .....
View 9 Replies
View Related
Mar 6, 2010
I'm trying to setup ssh access on my Fedora 12 laptop. I get the following error message in /var/log/secure when I try to login from another machine using ssh and the login is denied:
Code:
sshd[3025]: error: Could not get shadow information for <user>
sshd[3025]: Failed password for <user> from <ip> port <port> ssh2
If I do a 'setenforce 0' I can login and no error is logged.
View 10 Replies
View Related
Dec 19, 2010
When a user that has rsa public key set in ~/.ssh/authorized_keys file logs in via ssh an sshd process is started to handle the ssh session.Periodically we audit the authorized keys and remove them from the system and authorized_keys file. This means the next log in attempt will fail, which is fine.However we need to terminate current ssh sessions in progress that use the rsa key.I have not been able to determine a way to map sshd processes with authorized_keys entries.
View 11 Replies
View Related
Mar 28, 2010
Quote:
Code:
I've used these commands to generate my new keys and immediately got my sshd server running.
However, I now have the problem where the password is not being recognized and is repeatedly asked for.
View 2 Replies
View Related
May 25, 2011
Tried google and searching this forum to no avail. Under Fedora 14, there is an selinux policy which blocks sshd from making outbound connections on port 80 or 443. This can occur when a client box tries to tunnel through the ssh connection for encrypted access to the web.
While I did manage to allow this happen by creating a permissive domain for sshd with this command:
Code:
The preferred way would be to allow sshd to make connection on other ports with a similar command that does not seem to work:
Code:
Is this the correct way of allowing an outbound port connection for the sshd daemon?
View 2 Replies
View Related
Apr 28, 2011
Is there an ssh or sshd parameter that can be set to block out a user after a set number of attempts tp login ?
View 1 Replies
View Related
Aug 10, 2010
I have a problem with sshd daemon on a target linux system:The system has only one user (root) without password.The sshd_config looks like:
Code:
Port 22
Protocol 2
[code]...
View 8 Replies
View Related
Apr 22, 2010
Is it possible to 'include' a global SSH authorized_keys file?
For example, I have user accounts user1,user2,user3 and my user name is Benjamin. I want to be able to use my ssh key to authenticate as each of these users. I can manually copy my key to each .ssh/authorized_keys file individually, but is there a way to simply include /home/Benjamin/.ssh/global_authorized_keys in each of these user's authorized_keys file without manually adding and removing?
View 2 Replies
View Related
Jul 15, 2010
I've setup the .ssh/authorized_keys and am able to login with the new "user" using the pub/private key ... I have also added "user" to the sudoers list ... the problem I have now is when I try to execute a sudo command, something simple like:
$ sudo cd /root
it will prompt me for my password, which I enter, but it doesn't work (I am using the private key password I set)Also, ive disabled the users password using
$ passwd -l user
I am trying to harden my system ... the ultimate goal is to use pub/private keys to do logins versus simple password authentication. I've figured out how to set all that up via the authorized_keys file.Additionally I will ultimately prevent server logins through the root account. But before I do that I need sudo to work for a second user (the user which I will be login into the system with all the time).
For this second user I want to prevent regular password logins and force only pub/private key logins, if I don't lock the user via" passwd -l user ... then if i dont use a key, i can still get into the server with a regular password.But more importantly I need to get sudo to work with a pub/private key setup with a user whos had his/her password disabled.
1) I've adjusted /etc/ssh/sshd_config and set PasswordAuthentication no This will prevent ssh password logins (be sure to have a working public/private key setup prior to doing this
2) I've adjusted the sudoers list visudo and added
root ALL=(ALL) ALL
dimas ALL=(ALL) NOPASSWD: ALL
3) root is the only user account that will have a password, I am testing with two user accounts "dimas" and "sherry" which do not have a password set (passwords are blank, passwd -d user)
The above essentially prevents everyone from logging into the system with passwords (a public/private key must be setup). Additionally users in the sudoers list have admin abilities. They can also su to different accounts. So basically "dimas" can sudo su sherry, however "dimas can NOT do su sherry. Similarly any user NOT in the sudoers list can NOT do su user or sudo su user.
View 3 Replies
View Related
Jul 22, 2010
I have two Debian 5 servers which running on both the same version of OpenSSH (5.1p1) and OpenSSL (0.9.8g).
One week ago, I set ssh keys on both of them and create the file "authorized_keys". I was able to connect on each server via SSH without password (which is the purpose of ssh keys) but I had an issue with the SSH service and I had to restart one of my server. And since this time, when I try to connect to my other server with the same ssh command, the command ask me to type the password...
This is the result of the ssh command (with the argument -v):
Code:
OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to MY_SERVER [1.2.3.4] port 22.
debug1: Connection established.
[Code]....
View 11 Replies
View Related
Sep 24, 2010
I want to set up a centralized log server, and I have several requisites:
1. The ability to view multiple log files via a web interface or browser.
2. The server's ability to send e-mails to the administrators when a critical condition occurs within the log files.
The logcheck application seems like a good start. However, it does not have a web gui so I was wondering if anyone can recommend a program that either works with logcheck or has the above two requisites on its own.
View 2 Replies
View Related
Jan 18, 2010
I am working for a web hosting company. We work in red hat linux environment and the employees at present are having their data stored in individual systems. We wish to have a centralized environment, so that users can log in to a server with their user names irrespective of the systems they will set. Also, this could facilitate easy backup. we have about 70 systems, 90% linux machines. The number will grow in future. I am good in NIS, but not at all with LDAP. Is it okay if I suggest NIS?
View 2 Replies
View Related
Jun 21, 2011
I want to implement centralized syslog server for my linux servers in order to log successfull logging and failure loggings.But Still I coudnt get the authentication messages.
View 3 Replies
View Related
Jul 17, 2010
We have a setup of around 10 computers with 1 linux server... We want to convert it into a centralized system where firewall services are activated from the linux server and certain websites are restricted from acess for the workstations.. Are there any good softwares for this.. open source preferably... I'm using debian already for the web server and file server already....
View 7 Replies
View Related
Oct 14, 2010
I would like to build a centralized address book for my SOHO server. Is that possible without the use of openLDAP (I would like to avoid that)?My clients will be:Thunderbird, KMail (for KDE 3.5) and webmail.If so, do you have any suggestions/Howtos?
View 4 Replies
View Related
Apr 29, 2010
This is what I have... An existing network with about 2 dozen Linux servers, varied distros, and about 3 dozen workstations, the vast majority of which are Windows XP pro, but there is one Windows Vista business, two Ubuntu, one Mac, and soon to be a Windows 7 pro. User accounts vary across all servers. There are 4 samba servers hosting different file shares.
This is what I need to do... I must centralize the user password database for all workstations if possible, if not, at least for all the windows workstations. I also need the user passwords for the samba file shares to be synchronized with those of the workstations. I need to have the workstation/file-share passwords expire every 90 days. I also must centralize the user passwords for all Linux Servers, but this can be done separately and I know there are tools like Kerberos available for this.
Is this possible to do with so many user accounts already existing in so many different places on the network, or would this "centralized authentication" require new user accounts to be created across the network?
If this is possible, what tools/services are the easiest and fastest to set this up with? As usual, I have an urgent deadline looming over me for this project and am trying as hard as I can to avoid the company slipping back into the realm of M$ or other proprietary software to accomplish this. Keep in mind, I don't need any additional services, such as roaming profiles, or anything like that. I really just need a centralized password database that can be referenced by Windows, and the Samba file shares.
View 4 Replies
View Related
Mar 18, 2011
I have around 9 squid proxy servers and going to deploy Dansguardian on all of them. But I feel managing individual copy/server would be an tedious job hence please let me know if any one aware of centralized management solution for Squid+Dansguardian? Or if not let me know if you are aware of any such other Open Source product.
View 1 Replies
View Related
Oct 8, 2010
i want to run a homeserver here for centralized data storage and more...features required:
client compatibility with most Linux distributions, MS Windows 2000, XP, Vista, 7, XBOX!
harddisk shutdown if not in use (got some real noisy ones)
easy administration?! (maybe web-based?)
security! no files or folders over the internet (yet)
[code]....
View 1 Replies
View Related
Jul 23, 2009
I have to set up a box which can manage all the logins in our company and has the feature to manage every possible permission with as much comfort as possible. We are using Linux and AIX therefore my Boss is willing to switch from our Windows DC to a Linux DC. And here lies the problem, I don't really know what is needed to set the Box up to manage the Unix, Samba and LDAP accounts with one tool maybe?
I would like to know which Software exactly is needed and how to manage to get the thing to work together with a security aspect. I configured a Samba DC with LDAP, Kerberos and TLS but it looks like I overdid it because Kerberos is not able to manage the things we need in a manner that the other Admins in my Company would get things done in a short time.
Therefore I would like to get listed all the Software needed and maybe some How Tos how to get thing working, because I am losing my nerves on this matter.
In the last 3 weeks I have set up several test boxes but every time something doesn't work. My biggest Problem is to get Samba and LDAP to work together with TLS or another security scenario.
View 2 Replies
View Related
Aug 27, 2011
A time ago I've been trying to implement a PDC linux server with Samba and Openldap for centralized authentication for windows and linux clients, but I can NOT get it. So I read somewhere that there is another option called Directory Server and maybe that is possible to do. According to your experience do you recommend any 'how to' or 'tutorial' that will permit implement a PDC server for authenticating and sharing files and printers for windows and linux clients?
View 2 Replies
View Related
Jan 29, 2010
I need to centralize the logging of several machine on one machine with syslog-ng.I'm currently using fail2ban for security enhancement and logwatch for log reports, which are based on file log on each machine. is it possible to keep local logging for fail2ban and logwatch (logwatch can be dropped, but not fail2ban). One other need is to move old logs to a ftp site for archiving, as in france we have to keep one year of logs.
Another thing I've seen, is that logging goes to a MySQL database instead of the filesystem which allow to have some nice feature as web frontend, search capabilities.how is it compatible with the ftp save?
View 7 Replies
View Related
Jun 14, 2011
Is it possible/advisable to have centralized authentication across fedora 14, ubuntu 10.04, and win7 machines? I'm attempting to use 389 Directory Server on Fedora as the repository and not getting very far.
View 5 Replies
View Related
