I want to use AD sys accounts to logon to linux servers. What is the best and most secure way to do this. This because we want to ensure it is tracable when a server administrator makes changes to a linux server. Now we use root to make changes to the servers.
View 13 RepliesOur system is based on RH4 and is using pam_tally and faillog to record failed attempts and to lock users out after 5 attempts. We have a requirement to provide a normal (non-root) user logging onto our system, with information regarding the number of failed logon attempts made on their account before the current successful logon (similar to the functionality provided by HP Protect Tools on Windows). My first idea was to add 'faillog -u $USER' to the bashrc, however by the time the bashrc is run - the user has been successfully authenticated and the faillog has been reset back to zero.
View 5 Replies View Relatedafter doing a partial yum update and configuring cyrus and installing splunk my server box is not logging in to any of the users i have setup on it.to setup the cyrus server i used pam authentication so my assumption it could be that or somthing with the splunk install which i left default to /opt/.im running an old kernel i think its fc11 29 .pae in my boot logs i dont see that anything failed to run but it still does't let me logonk
View 2 Replies View RelatedI'm using postfix with unix accounts for a while now and I just realized today that SASL authentication, instead of working only with the USERNAME, it also works if the username is followed by ANYDOMAIN.COM
So, let's say I have the following UNIX users: tim, mike, john. If I set the Outgoing Username:[URL]..(where whatever.com can be any name you can think of) IT WORKS, even though it shouldn't, it should only work with tim, mike and john without any domain name. Does anyone know what might cause this and what's the workaround to this problem?
I want to configure SSH key-based authentication and SSH password Authentication in same machine for different user .
View 1 Replies View RelatedI need to make a choice on what authentication protocol I want to use for Authentication and Authorization. I was looking at Radius and then literature suggested that Diameter was a better protocol. Keep in mind I need this on a hetrogeneous setup ( linux & windows together). Diameter seemed like a good fit until I discovered that the open source code no longer seems to be maintained ( C/C++).
I was also looking at Kerberos as an option though there is alot overhead with the server. SSL/TLS or EAP? I am looking for simple but secure and am new at the security protocols.
On Ubuntu server 10.10, with a relay smtp server with authentication via postfix; I keep getting 535: Incorrect authentication data. I'm sure my username and password is correct. Heres how I set up postfix: I created a file called smarthosts.conf in my /etc/postfix/ directory that contains the following:
[Code].....
my server uses plain text authentication on port 25. I would like to use security like SSL, but this particular server is unsecured.
Is there anyway to prevent a user from being able to logon at a machine (Terminal and XWindows) but allow that user to logon remotely using SSH? This user is for remote capture of logs only - on a private network (no internet access).
View 1 Replies View RelatedI think someone hacked my server and I'm wondering if it's possible to view the possible the past user logons?
View 6 Replies View RelatedI have upgraded to Lucid, but was having the same issues on Karmic. I made a 2nd user acct we'll call X and we'll call the original acct Y. All of these issues only happened after creating X.
On X I have: sound Things wrong with X: I don't have the ability to modify any folders (even ones that are made from X's acct), I can't change the password or even access the Users and Groups, I can't modify any browser settings in Firefox but can on Chromium, the option for wireless is completely gone
On Y I have: the ability to access users and groups, the ability to modify all folders on either acct, the ability to change any settings on anything Things wrong with Y: no sound (doesn't even show the driver, but the driver is there on X's acct), wireless is completely gone (just like X's acct), even though I can access Users and Groups I cannot modify anything about X's acct
My first thought was to completely delete X since that's when all the problems began, but I'm afraid that since X seems to have "stolen" my sound card, that will be lost forever. I am also afraid that since neither account has wireless deleting X might hinder ever getting it back.
I have a windows 2003 active directory and dansguardian transparent web filter. I want that dansguardian filters according by whom is logged on the workstation. Can this be possible?
View 2 Replies View Relatedthere i have installed 10.10 today and cant logon, i can type the username, but when i try to type the password nothing happens, the cursor blinks but no letters characters or numbers work??? the only key that appears to work is the enter key. so obviuosly i cannot enter a password and it times out after 60 seconds. what do i do is it the keyboard?? this is on an older pc (not this one) that i was using win xp on, and got sick of the hassles with windows.
maybe should i reinstall without passwords?
All of these audit messages is from one su - and root password at a gnome-terminal.This started happening from some update from koji in the last 18 hrs or so.It take 20-25 sec from su - to get the password prompt.
[Code]...
I have an encrypted /home partition but would like to set up a guest account for my brother. Obviously, encryption doesn't work so well when you give out the key so what I'd like to do is specify a different, unencrypted location as a home directory for the guest account so he doesn't need access to that partition. Is there a way of doing this?
I've got fedora 10, dual boot with windows, 2 hard drives, 1st is NTFS windows. 2nd is split into a swap, ext3 for the OS, and an encrypted partition for /home.
fedora 10 and im trying to set up some user accounts on a computer. My current problem is that we set up 2 root accounts and we need both to be able to authenticate. So far this works on the command line but whenever i'm on the GUI it seems that it only allows root to give its password for things. How do i enable the second account to do that as well.as a note, i am doing this for someone else so i have little to no control how this is set up, so please, i am not looking for reasons why this is not a good idea i would just like to figure this out
View 2 Replies View RelatedI am looking at creating two user accounts for "contract system admins"..These guys will be performing sys admin duties for a sever -- however, I am still concerned about security of data. For example, the server contains password information for our database, etc.Besides making them sign an NDA, etc. what other security mechanisms could I put in place to ensure that they don't just go buck wild. For example, when someone makes a sudo command, is this logged?
what are some recommendations for general security practices?
way to automate adding and removing users from 10 different Fedora 7 servers. We use them as print servers and our users have a user name and password to authenticate with when printing. We also use Samba to talk to a W2k3 server that tracks and charges the users for what they print. The set up was done by a vendor and after 6 months of being in production the scripts they created has flaws.
I need a way for a script to run as often as possible that will remove, change, or delete user accounts from the servers and from Samba. how to most effectively achieve this?
It would be ideal to have a file that gets written to when a change needs to be made then a script to make these changes?
My Linux is Fedora release 13. I found there are a few users created not by me. I am not sure if the system got hacked somehow. Then the hackers created these users, i.e. (1) oracle, (2) exim, (3) test, (4) cox. I tried to delete all of these four users by using "usrdel" command but the system said "I cannot delete these users as the users are logging in". If my system got hacked ?? or these users are created by the system itself?
View 8 Replies View RelatedI recently received an email from a friend without subject and just a link. Since we do that a lot, I clicked on it. I was taking to a website that looks like a phishing site and my computer hard drive started working feverishly. I closed it quickly.
First, I want you guys to be aware of this thing since it seems to be fairly new.
Second, I want to know if I have been compromised. I already changed the password on my gmail account and I accessed the site using Ubuntu and Firefox.
allow sftp access to my Ubuntu system (happens to be desktop as it's also my main system) using accounts that are not able to login normally. (I have already managed to create such accounts.) These accounts need to be chrooted (also already accomplished with the openssh daemon settings.) Where I run into problems is that I want to give them (read only) access to files outside the chroot (on another partition in fact) and the matter if made more difficult because the directories to be shared are on NTFS-3G partitions (as they are a shared linux / windows storage drive). Is this possible and if so, what do I need to do?
Edit - Forgot to include versions
Ubuntu 10.10
openssh 1.5.5p1-4ubuntu4 (the one that comes with 10.10)
I would like to restrict a few selected accounts to minimum of 15 characters passwords. Other accounts,however, should still be able to login with 8 character passwords. This is in RHEL 5. Does anyone know how to go about it? I have checked PAM documentation and pam_cracklib.so has an option minlen. As per its documentation, minlen can force users to use 15 characters, but it forces every account on the system. I might be wrong too.
View 5 Replies View RelatedI am trying to disable accounts after 5 unsuccessful login attempts. I am following the guidelines in this article:
[URL]
This is on an Oracle Enterprise 5.4 box, which is essentially RHEL 5.4 Here is what my /etc/pam.d/system-auth looks like:
--------
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
[code]....
Unfortunately, the account does not seem to be locked or disabled. As root, runninng 'su test2 -c <some-command>' always sucessfully runs <some-command>, and leaves the failed attempt count at 6. /etc/shadow does not have an * or ! anywhere in the encrypted password for the 'test1' user.
What am I doing wrong? I thought that with the max attempts set to 0 in faillog, that the deny= parameter would be used. I thought I should be using su <user> -c <command> from the root account to test if the disable feature is working.
What security mechanisms are used by recent versions of the Linux operating system during user authentication?
View 3 Replies View RelatedOnce again, nobody seems to understand security properly when they decide to add nifty new features. After upgrading to 10.04 from 9.10, I now have a listing of all the user accounts under "Switch from" when I go the the logout menu at the upper right side of the task bar. This is a terrible security hole that should never have been allowed in the first place, and is just as annoying as the default behavior of listing all the user accounts on the login screen.
View 5 Replies View RelatedWe have 4 servers having rhel 5.2. We have several users logged in on one of them. We have nis server/client running on them and have common home area mounted on all of them. Now we want to disable/block the accounts of the users who have not accessed our servers in last 2 months from today.What logic should we apply to do so? We were checking stat of .bashrc of each user but is not correct logic. We are going to write shell script for the same. We dont want to do anything in users home area or their files.
View 11 Replies View RelatedI have one Ubuntu server 9.04 with samba domain. I have one Xp pro in this domain. When the XP computer logon, the theme is classic... How can I change that? I want the standard XP theme......
View 3 Replies View RelatedI have succesfully set up authentication manually in Ubuntu so users can log on with Windows Active Directory accounts and have their network drives mapped automatically using pam_mount.
Please note due to the setup I can't make any changes to the Windows 2k3 server.
If a user wants their password reset I can change it to a generic password. When they next log on to a Windows computer with the generic password it will automatically ask them to change it to something else.
Is there anyway to get this to work with Ubuntu 10.10? At the moment when logging onto Ubuntu with an account that is in this state the message Please change your password appears, it then proceds to log on without prompting to change the password and natually it won't map the drives etc.
When I log onto my 10.04 server via ssh, there is the /etc/motd displayed. This motd is made up each time by the files in /etc/update/motd.d/. There is this one file : update-motd-reboot-required The content is exec /usr/lib/update-notifier/update-mot-reboot-required and the content of this one is : if the file /var/run/reboot-required exists, print it.
But who is making this file and why ?we know who it is: it's pam_motd.. but why would I reboot ??!?
editt2 : nvmd [URL]
I am unable to join a W2K or XP machine to a Samba PDC. I have tried to make this work on both 8.04 LTS and 10.04 LTS without success. Everything else works but I cannot add machine accounts "on the fly" using the "add machine script" as provided in the server guide. I have been able to make it work by enabling the root user but not as a user with admin privileges and sudo in the script. Despite multiple attempts including a new 10.04 install and following the instructions (in the 9.10 server guide) to the letter. Does anyone out there have a samba PDC actually running on Ubuntu and able to add machines on the fly without enabling the root account (i.e using SUDO in the script and a user from the admin group)?
View 1 Replies View RelatedIs there a way to do this? Some users can not send internet messages. Do you have some configuration tips?
View 1 Replies View Related