Ubuntu Security :: 10.04 - Corporate UCM And Password Policies
Sep 27, 2010
I am currently reviewing what it means to switch over to Ubuntu and I have the following scenario. If I was to switch all the windows servers over to an Ubuntu solution. I already understand that file servers/ mail servers and resources can be provided Ubuntu 10.04. The issue comes with the user accounts access and control. In a windows environment, I have a domain with sub domain sites. I am able to control passwords in each site separately thought Active directory. I need the instructions on how to setup an LDAP server so that I can control access rights to different services located on different servers.
Example 1.
I have 5 mail servers and on the HR side, I have 2 email administrators. I wish to provide them access to only the relevant resources centrally. With out having to add users to different users repeatedly. For example, if I wanted to grant the two administrators access to all five servers. As I understand it, I would have to create the same user on every server and add a public key on every server, as well as set the administration rights for that user on each server individually.
I want to be capable of doing this like I am in a windows environment from some sort of domain controller equivalent. Things that I must be able to do, manage users public keys on each server centrally. Add and remove user's access to each server centrally. Finite control on what each user can do on each server. (i.e., add them to the sudo group or any other group for specific servers/server class I specify). To a lesser extent of requirement, I also need to be able to inform users they have to change there password every 3 months from when they change it. As well as enforce password rules, such as characters complication.
Is there a way to delete files on the commandline that uses the KDE-Wastebin?It appears that I never ever need the KDE4 Wastebin for files that I deleted through Konqueror or Dolphin. It is only when I delete files on the konsole with rm that I wish I could undelete them. It always happens like that, mostly by being in the wrong directory or using a wildcard when I should not have. (I don't have any erroneous deleted file right now, and I do have plenty of backups, but I just wonder whether there is something better than rm to use generally on the commandline.)
How would I ensure that whenever any user changes the password it should meet following. 1)It should be more than 7 Characters. 2)Atleast one Upper case character,digit and special character present. 3)Password is not same as username or dictionary word . 4)User should get email after changing his password(I have already setup mail account and tested the setup).
Code: Distribution Detail # lsb_release -a LSB Version: :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch Distributor ID: EnterpriseEnterpriseServer Description: Enterprise Linux Enterprise Linux Server release 5.2 (Carthage) Release: 5.2 Codename: Carthage # uname -a Linux OFSMUW-VMGR-51 2.6.18-92.el5PAE #1 SMP Fri May 23 22:26:05 EDT 2008 i686 i686 i386 GNU/Linux
Here, I want to deny all traffic except DNS traffic, it should be permitted. I tried to log the traffic but I did not find any update in /var/log/messages.
I don't know how to write a shell script to set security policies for Linux to start. and how. I know that there are many security policies for Linux but do not know which one best suited to write a shell script.
A US ISP's "privacy" policy basically states that they will collect any and all of your data (email, posts, surfing etc ) and then "share" it". direct me to a "checklist" which can suggest counter measures for non-geeks? How can we function if we cant trust our ISP? Are there some specific 'tricks' in Ubutu to foil rogue ISPs? If yes, it would be a great 'selling point', especially for professionals concerned that rogue ISPs could "share" their intellectual property.
everytime i try to vnc to my box, it pops up the keyring authentication, which is obviously a huge problem when logging in remotely.how do i change my keyring password to match my login password?
I know this has probably been asked too many times here but I need to secure my emails. Personal matters of course. But yeah. I use the program "Password and Encryption Keys" to generate a key to sign my emails with but I do not know what to do. To be blunt, I'm stupid when it comes to this. IF not, steps in creating a key? and giving it (my public key) to the significant other? Finding where both keys are? Implementing it into Thunderbird? If it helps any here's some extra information: Ubuntu distro: Ubuntu 10.04 Email client: Thunderbird
How can I force passwd to use a simple password?I want to change my passwd & delete passwd history (if stored).I plan on creating a Virtual Appliance that uses another password besides my testing password.
I already posted a topic similar to this concerning the Desktop OS version, but this deals with the Netbook because unlike the Desktop, the Netbook is less cooperative. Allow me to elaborate: Today (or rather yesterday since it's not after midnight where I am), I changed my password because I was hopelessly confounded about how to get my Wireless Network card up and running after it had been installed and I was allowing my dad to use it. This issue has since been resolved, however...
When I chose my password during the original installation, there was no mention of it being "too simple." This is where the Desktop OS and the Netbook OS differ. The desktop will let me change it in the terminal without any errors. The Netbook will not. When I've attempted to revert it back to the original, it will not let me do so in the User Profile or in the Terminal. The Passwords and Encryption Keys application also does not appear to help.
So now even after I've changed it to a different "complicated" password I am still prompted to insert two different passwords since I changed my user password but I am unable to change the password I input during the installation. A bit screwy methinks. This is extremely important. I'd like to know how to change the original installation password.
If I can't change the main password on my laptop then this is a serious potential security breach just waiting to happen (especially since it's on a laptop and I will be hauling it around with me) and I will most likely install a different OS if this isn't resolved --- It would be very unfortunate since I spent the whole day fixing it and I really enjoy the interface. Luckily I can live with this on my Desktop since I'm not going to be hauling it around with me everywhere when the school year starts.
I have a database created by an older program (not Access) that I need to open and retrieve information for my business. The manufacturer put a password on there so that only it's program could open it. I do not use that program, but it has information I need. Is there a way to find that password or circumvent the password altogether?
Migrating whole Corporate Windows stations to Ubuntu which is a huge thing so I'd like to do it right and as painless as possible to users.
Here's how it's done now: Main server are already running Linux for years with DHCP, DNS, IMAP, Postgres and SAMBA.
Windows machines are part of Samba PDC and when user logs in, Windows connects to the user profile on Samba server. When user logs out and logs to another computer, he/she has the same files and settings. Basically, nothing is held on local stations.
All printers on the network are printers with network cards, so they are not attached to any computer. The right printer is set with cmd script when user logs in, which makes it possible to make other printer as default if one is faulty.
The project is to setup a corporate server that will bond 5 pci lan cards into one! The scope is to connect 5 ADSL routers and compine the speeds of all of them.
So i would have 5 routers each 2mbit ADSL would result on a 10mbit connection.
The problem is not only that.
Because this is a corporate network the server MUST also act as a router. This is necessary because people are remotely connecting from e.g. their homes to the network.
if this can be done with a Linux server or it is not feasilbe at all?
I can't seem to find the "Authorizations" GUI that was present in earlier ubuntus for configuring system policies. It used to be in System - Administration - Authorizations. Which package does it come in? What's the console command for it?
We are organizing an event for Open Source technology in college for 100 students and want to provide them access our corporate PC. Our aim is to provide them remote access to few 10-20 machines in our corporate to try out our product which runs on specific hardware.Anyone who can suggest me any secure colloborative tool which will let those students access concurrently.
I can not open the corporate intranet portal, runnnig on windows server 2008 with domain users. In Centos I could login just fine - firefox/konqueror just prompted me for my NTLM windows domain username and password - I typed those in and browers sucessfully loggem me in and I could surf the corporate portal. Note that NTLM authentication is configured as a fallback from kerberos authentication (so told me our portal admin)
However, in Fedora11 when I try to open the corporate (intra(not inter)net) portal, browsers just give me "Bad Request (Invalid Hostname)" error instead of prompting me for my domain username/password. I'm logged in on my F11 box as a local (not domain) user - as I did also previously on Centos Box.
I disabled SELinux, I disabled the firewall but still no luck. Not being able to open the corporate portal is a major showstopper for me, as I can not access many applications hosted there.
In my company, they provide linux machines which has a 4 yr old Gentoo linux. Also the OS is loaded through Yukon PXE/netboot environment, and the users directory is mounted from an network location. Also they dont provide root access in these machines.
I would love to use the latest Ubuntu in this machine. Please let me know if it is possible to configure a ubuntu/xubuntu in this machine. I need to be able to login with my corporate user_id/passwd, because many of the tools use this for authentication. so just doing a ubuntu installation in this machine and mounting the n/w location would not help.
I am looking for solution that would allow multiple users distributed over several offices in several countries to access one corporate file depository. The features I am looking for, are as follows:
- There should be the way to establish user groups and then define for each folder access level (read/write) for every user/group. Every users is given his login and password. - This file depository should be accessed from both Linux and Windows clients - There should be a way how to sync certain folders/files on one's PC so that it is possible to work off-line and then sync back to the common depository.
Then I plan to launch some regular backup routine on that folder where all the files of depository are kept. I can imagine that the solution could be involving several tools, ie access for Windows users might involve setting up samba server, but I don't know how to establish all the limited access stuff for Win clients via samba.
Is it possible to only view certain chains and more specifically certain chain policies with options when doing: iptables -L..I would like for example view FORWARD ACCEPT rules instead of waiting for all of the drop rules to load when viewing a firewalled iptables.
I'm new to ubuntu. Now iam using Karmic Koala. I want to change my password. So i used,
system->Administration->users and groups to change my password . As i entered my new password and clicked on 'Change Password', It is saying, 'password changed'. But when I click the close button in the main users and groups window, it is asking for my password, and I am forced to enter my old password only.
After the window is closed, i logout to check whether my password is changed. But it is not. I have to enter my old password to login.
i set my pass on ubuntu 10.4 and it work so good on installing app but suddenly it stopped working i thought i would restart my pc i tried to inter my pass again ubuntu don't accept it although it's surely true
I had this great idea to try and change the UBUNTU password. So I took not so drastic effort..I went to System>Administration>Users and Groups. There I clicked on my login name.Clicked on Properties and used the Change Password Button to Change my login password. I did that. [I thought this is the way to change the login password]. After that as usual I tried to launch the Empathy! It started asking me about some Keyring password! I gave my new password and it worked. Now, the weirdness of the issue is that..
1)If I want to login to UBUNTU..I have to give the Old Password [The password which I gave when installing Ubuntu;as if the password change has not come into affect] oO mount..I have to give old password To update I have to give old password. But! 2)To get my things done in Empathy..that is to get the Keyring Challenge done! I have to give the new password and old password does not work here.
I want to stop empathy from asking me about the KEYRING thing. Roll back the system to the previous state; before the password change thing. What exactly went wrong or right? and What is really happening to my system. I mean things are all normal, so far..but why the two passwords? I dont use any heavy things on my machine..just a bit of browsing and Empathy..thats all.and only the default applications are installed on my machine. I use Ubuntu Karmic 9.10.
I need to be able to capture a users password when they login. I am well aware of the security issues with this and I'm ok with this.
We run a call center and I am working on migrating from windows to Kubuntu for the callers. It's policy that all callers must report their password to me, so I already know of everyone's password. There has to be some variable/script that I can "hack" to get the password they typed in to the login screen.
What I'm trying to do is that when a user logs in in for the first time, their profile is automatically created and set up. Setting up network drives, email, pidgin (which the password is stored in plain text anyway, so forget about security on that one), web apps, etc.
Trying to find information on How to capture a users password and all have been responded with the usual lecture on why you shouldn't do this. So I've heard it all before and I know of the risks. Like I said, I already have the callers password on file. If I could capture it, I wouldn't have to manually setup each profile every time we get a new caller, which is often since turnover is quite high in call centers.
Every time I log in, I get the "password for keyring default" question two or three times, unless I enter it immediately as it pops up, sometimes even that doesn't prevent it from respawning. What could be causing this? I'm using Maverick.
P.S. Hmm, I don't think I'll be watching the lunar eclipse much now, the sky is covered with smoke, maybe it's lunar apocalypse.
I think it is very easy to hack passwords in Linux, but I did not try it yet. If you use sudo you get 3 attempts for the correct password. But if you get enough time it should be no problem to hack it by bruteforce. Imagine a script an attacker places on your machine which runs for a few hours or days. I think it is much more effective to delete the user out of the admin (or adm?) group so that user cannot be any danger anymore. You would have to login with root and readd the user then.
You now say: but if you login with root you got almost the same effect as with sudo. Of course it is the same. That is why I would use a system (not sure which yet) to create sub enviroments of your OS, which got the attribute that they can run without root, only got one account that can sudo and once sudo access is denied there is no other way to login as root. You just can repermit sudo access by the parent os layer.
