Security :: NIS Password Mapping - Allow User "techsupport1" To Access Web Server?
May 19, 2010
I have a NIS server and a web server as a client. I have a regular linux user (without root privileges) "techsupport1" on NIS server.
On the client web server, I have root user, and my clients. Now what I want to achieve is, allow my user "techsupport1" to access the web server, but instead of logging in using root user, I'd like the client to use username "techsupport1", but in the same time, give that user root privileges on the web server (client). The reason, is that I have more than one user who need to manage the web server (client), so I want to be able to clearly see in the bash_history, who has been running what commands. right now, when I login as a techsupport user to the web server (client) from my NIS server
[code]...
I don't have root privileges, also my gid is matching to gid of a customer who has the same 517 on the web server. How can I configure, so when a tech support agent 1, logs in to web server, NIS grants root privileges, but keeps the techsupport username?
My goal is this: Allow a user to connect to a server via SSH with any login name or password without checking to see if that account exists on that server. Their account would be captured by a universal account say, 'generic_user', and then they would be directed to one of my python scripts with the username and password they supplied for initial login. At this point my script would capture their SSHD process ID and allow/deny their existence based upon a MySQL/Subscription check.
The part I'm having trouble with is with PAM and allowing the user to login with any credentials and be successfully authenticated under the generic account. Beyond that, everything is great.
I have got a RHEL 5.6 server configured to authenticate via a Windows 2008 domain controller via LDAPS.Everything is working fine, except from the following: When I create a new user in Active directory and check the option "user must change password at next logon", the new user cannot logon and gets an "access denied" message. In /var/log/secure, I find the following:
Mar 1 14:43:21 cpssvn10 sshd[5363]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.3.12 user=testuser2 Mar 1 14:43:21 cpssvn10 sshd[5363]: pam_ldap: error trying to bind as user "CN=CPSS Testuser 2,OU=IBM,DC=cpss,DC=smarterplatform,DC=com" (Invalid credentials) Mar 1 14:43:23 cpssvn10 sshd[5363]: Failed password for testuser2 from 192.168.3.12 port 4583 ssh2
As soon as I uncheck the "user must change ..." option, the user can log on without problems. Also password change via the passwd command works.
I set up a servber on my local machine, & also PHp - Both working fine.I'm trying to load up MYSQL i have installed it, & *can* start/stop the server. however if I do anything else with it, I get this error :-
Quote:
root@gordon-desktop:~# sudo mysqladmin -u root -h localhost password MYPASSWORD mysqladmin: connect to server at 'localhost' failed error: 'Access denied for user 'root'@'localhost' (using password: NO)'
Query :-
1) How do I know MYSQL is actually active ? (apart from the message it says that its statrted (or stopped).
2) Is there a way to
a) Find out the usernames that are recorded on the MYSQL server ? b) set / RESET the 'root' username (I know MYSQL root user is different to PC root user) c) anything else I can do on the PHP / website code to see if MYSQL is working
(as yet, no tables / databases etc have been set up - as I can't get past this error message - I get the same error when setting up a database.)
Ps I did allow my usermname (when logged in to ubuntu) to edit / create files in the /usr/www/ directory (but it is still OWNED by 'root' - that directory)
So I have a few Ubuntu (Hardy till I can find a replacement for Xen) boxes that I am trying move from nfs3 to nfs4.I set it up according to this guide: URL...However I ran into trouble when the client see's all users/groups as nobody/nogroup.The current set up is that all the boxes have synced uids/gids and all users with root access can be trusted. I read some reports that said the only way this could be fixed was by using Kerberos. However I would really prefer not having to move to Kerberos as I have heard that it is very intensive to set up. So what I am looking for here is a solution other than sticking with nfs3 or putting everything on Kerberos. However if you think that Kerberos is easier to set up than I am giving it credit for then that could be useful to hear as well.
I want to do setting in RHEL5 such that user should able to change his password only once in a day.I have changed the fourth field (i.e. minimum number of days to change) in in "/etc/shadow" file for "root" to "1". But its not working. I am able to change the password of "root" using "passwd" command.Any one can help me out on this issue
My bose ask me to convert a CentOS system password like "LMPQSMTE0nHlQ" to postfix MySQL MD5 Hased password, I find CentOS seems has 2 kinds of password form, one is shorter and the other is very long like"$1$C2MSk16n$WT5JWnzYH7XpCCjsiE2bd1", however I find postfix is exactly the later long one, so does any one know how to convert the short form to the later one
My daughter has forgotten her password on our desktop system. Note this is not the admin user (me) so I can sudo nautilus to recover her files. All info online seems to pertain to recovering administrators password is there any way of recovering a non admin password? Ubuntu 9.10 but about to be upgraded 10 10.
Stumped on this one. I'm trying to set up limited sudo authority on a desktop with some sensitive user data, and as an extra precaution I wanted to configure sudo to use a password other than the user's or the root's. I'm not sure how to do this. From the manual, we have a few options, such as "runaspw" or "targetpw", but none seem quite what I'm looking for.For instance, "runaspw" could be used if I created a user for nothing other than sudo(ing) purposes, but it requires you set "runas_default", which means that said user would have to have authority to execute said commands in the first place. This is workable, but seems like a lot of extra configuration for each specific command that I want to run, as well as creating some issues with simply commands such as "shutdown" or "reboot". Also, "targetpw" can be used in conjunction with a sudo(ing)-only user if I set an alias, but, again, this isn't quite what I am looking for.
Ultimately, what I am really concerned about in this situation are keystroke loggers, so I would prefer to avoid repeated entering the user or root password when performing administrative tasks. Also, I would prefer not having to create a sudo(ing)-only user as mentioned above to prevent a comprimised password resulting in an attacker being able to log into my system.
I am trying to give access to ONE single user to start and shutdown tomcat server. The problem being, when I enter syntax: username ALL= /etc/init.d/tomcat5, /usr/local/tomcat/webapps, PASSWD:ALL This gives the user access to start and stop tomcat but also gives user access to start and stop other services within /etc/init.d - such as httpd etc... What is the proper way to give user access to start and stop service, and limiting that power to only one service....
I have a problem with my fedora workstation.I am trying to change my ldap user password through passwd command.When I first create the user on ldap server, I use md5 and create the user password.This is the entry:
I'm currently creating a simple sh file which will copy the contents of a certain directory to / directory. in my sh file:
Code:
cd "$DIR" for i in *.*; do sudo cp -iv "$i" "$DEST" done
but this requires user password. can i add the user password in my sh file? how? I'm trying to do this because I have an application to run the sh file and the application has no way to enter the password..
Second off, I'm trying to capture a user password on login (through gdm) such that I can re-use it for a service like Kerberos or AFS. The idea is that the user has to log in only once, and then I renew the tickets and tokens until they log out again. If there's a better way to do this
I have a dual boot machine and recently did a fresh install of 10.4. It no longer asks for a password to access the Windows partition and I full access to it. This seems insecure to me and was wondering if someone else came across this. I thought I saw this topic discussed before but I can not seem to find it now. Is this a bug or a new unpleasant feature?I don't think it makes a difference but I do have a separate encrypted home partition on this fresh install. I have also done two fresh installs. (Well three...once testing out KDE but didn't try the Win partition. )
I was wondering if there is any way in Linux in general and Fedora 13 in particular to configure system so that any service that needs access to internet will have to ask for password/permission to do so. So that I can
So I'm attempting to get my system to not require the root password while still requiring some form of authentication. My current issue is getting yast2 and its components to ask for the user's password and not the root's.
Is there a way to have these tools ask for user's password instead of root's?
Cannot seem to use my mysql password, keep getting the error "Access denied for user 'root'@'localhost' (using password: YES)" So I tried checking my password using mysql -u root -p and I get the same error as above. I've tried accessing mysql with skip grant tables disabling the need for a password so I could reset my root password. After going through the necessary steps I still get the error above when typing my password in for mysql.
I have a problem with my ubuntu account. I am running 4 virtual machines, based on jeos-8.04 and I am using a public key authentication to login to my account (via ssh). This is not the problem, I have the key and the passphrase. But when I am logged in, I can't sudo, because I forgot the password for the accout.
I remember my password very well and have no need of password recovery. Everywhere I look it's how to recover and I don't want that. The kind where you boot into root recovery console to change the password.
I would like to use a wireless network, I type in the correct password but suddenly a new window pops up saying: 'an application wants to access to the keyring 'Vorgabe', but its is locked password:'
But I don't know what password it's talking about I went to Password and Encryption keys, there are two folders 'password: vorgabe' 'Password: login'
I have been reading guides for a while now and so far have not found an exact solution to my problem.
I want a linux user (dave) to be able to switch to another account (patrol) without a password prompt, but dave must still be denied access to root. Patrol must also be denied root access.
In the sudoers file
Code: User_Alias Patrol=dave,john root ALL=(ALL) ALL Patrol ALL=(patrol) NOPSSWD: ALL
After updating my system yesterday my laptop will no longer connect to my wifi connection, in fact the network manager doesn't appear on the screen. I cant access super user even with the correct password. Some programs fail to load e.g. hardware drivers.I'm online now using my ethernet cable. I cant update grub due to errors in etc/grub.d/README.I'm logged in as root now instead of my own user account.
I have a new CentOS server install. I am trying to connect from a windows xp box using putty ssh. I can get as far as putting in the password for root user and then it tells me access denied.
May i ask if how or should i concern about my history records my rdesktop full cmd. I dont want to disable my history in the cmd and want to use it.
Im using rdesktop cmd since it more easy and direct to connect to a terminal RDP. I noticed the history records all my full command rdesktop which state the domain, user ,password. in txt mode..May i ask if this has any problem should i concern with..