Ubuntu Security :: Disallow Both Ssh And Scp To 'other Local Users'
Jun 23, 2011
I am stuck in a weird situation and could definitely use some help from gurus in security area.
I have categorized my users into 3:
1. root user
2. other local users
3. LDAP users
I want to setup following 2 usecases:
a)
1. Allow keybased ssh and scp to root users
2. Allow ssh but disallow scp service to other local users
3. Disallow ssh and scp to LDAP users
b)
1. Allow keybased ssh and scp to root users
2. Disallow both ssh and scp to other local users
3. Disallow ssh but allow scp to LDAP users
For the 1. in both cases, I think PermitRootLogin in sshd_config could . For the 3. I am thinking of deploying rssh to control scp service access, since ssh will be restricted anyways.
Problem area is 2. primarily.
i) How to allow ssh but disallow scp to 'other local users'
ii) How to disallow both ssh and scp to 'other local users'
View 5 Replies
ADVERTISEMENT
Nov 13, 2010
I have a system, I want only my sudoer account to show and automount NTFS partitions under 'Places' in Ubuntu. Simply, they shall not have access to mount it. Only my main sudoer user account shall take advantage on this show-and-possibly-automount feature of GNOME, but not anyone else.
View 6 Replies
View Related
Jul 21, 2010
I don't know if this is possible... I want that only some of a Windows Domain(Samba) users can to logging in a machine.For example: The user Peter of the domain WORKSPACE can connect to the PC1, but the user Charly of the domain WORKSPACE can not connect to the PC1. How I can implement this?
View 5 Replies
View Related
May 4, 2010
I'm using Ubuntu x64 (dunno which version, but I don't think it matters) and I'm concerned about security with PHP.I remember using lighttpd and I had some mystic configuration and the secuirty was perfect for me - if one website gets hacked then the others are still safe (kinda).Now with apache2 if I enable safemode I'm still able to go outside web directory and actually I can go really far untill user/group matches.I tested the system with r57shell and I was able to mess up other websites.Is there a way to disallow access to other websites?
View 5 Replies
View Related
Jan 10, 2011
trying to devise a new sudoers configuration while building a new SOE and would like to force everyone (including system administrators) to use rootsh in favour of doing things like sudo -s, sudo bash, sudo tcsh and so forth. Effectively, use sudo to use any shell other than rootsh. Is there a way to allow users to run anything they want except shells. I realise this is a default permit which inherently is defective, but I'm not convinced that going through the 1559 executable commands of my (as yet incomplete) built system to decided on the likely 1000+ commands I would want to be genuinely allowed. As I said this is for system administrators first, and I'd like to forcibly instil the habit of sudo <command> or using rootsh to get an audited shell. But I know people are already not doing enough sudo <command> as it stands, rather they switch to bash.
View 7 Replies
View Related
Jul 26, 2011
I have a postfix mail server on ubuntu 10.04 lts behind a router. so all local users are fetching/sending mails through ms outlook using local IP. Sometimes when internet goes down and any mail send then it bounced back immediately saying domain not found. Can u please tell me how i configure to hold all mails in postfix server rather than bounce when internet fails and will pass through when restored the internet around 15-30 minutes?
View 2 Replies
View Related
May 27, 2011
how to map all domain users form group Domain Users to local group users (and maybe some more)? Im using Ubuntu 10.04 x32. Its connected to my domain using Samba and Winbind, I can login using my domain credentials, automatically map user folder form DFS server, but I think that domain users have too much priviledges in the system and want to restrict them as much as possible
View 2 Replies
View Related
Jun 7, 2010
Is it possible to map a remote user to a local user in SSH? The object is to avoid using $ssh user@server and instead just do $ssh server instead.
View 4 Replies
View Related
Nov 1, 2010
We are trying to set up a classroom training environment where our SIG can hold classes for prospective converts from Microsoft/Mac. The ten machines will have /home/student01..10 and /home/linsig01..10 as users. We want /home/student01 to be able to explore and sudo so they can learn to administer their personal machines at home. We don't want them to be able to modify (sudo) /home/linsig01. I've seen the tutorial on Access Control Lists but I'd like other input so we get it right the first time.
View 3 Replies
View Related
Oct 15, 2010
To avoid having to input a password for the keyring each time I connect to the net via wireless, I enabled the 'Available to all users' option in Network Manager. Now, my question is this. Are the 'users' it refers to just those created on this machine? Would a drive-by be able to use my network without entering the password?
View 3 Replies
View Related
Apr 12, 2011
I want to have a shared area for movies, music, etc. where files are available for all users. What is the best way to do this? I've tried a few different things, (ie. creating a folder and sharing it among a group, but for some reason it doesn't seem to work the way I want it to. I'm now thinking maybe have a partition like /share and set the permissions to all in fstab, but I'm not sure.
View 9 Replies
View Related
May 12, 2010
I have an environment with multiple projects that have a variety of government and commercial sponsors. We have been satisfied to this point with a netapp serving nfs/cifs and keeping a tight reign on nfs exports.Some of these projects have started asking us to provide access restricted sub-folders of the project space based on different groups that contain a user subset of the primary group.
We have a linux machine that serves as a version control front end to the netapp, mounting the project spaces via nfs. People are now mounting their project space via sshfs to this "front end" and sharing the root password of this sshfs client with everyone in their project, in turn creating a security hole to access the so called restricted sub-folders. I know all the obligatory responses referring to irresponsible user behavior but would like to see how others have addressed something like this where user behavior seems out of control.
View 12 Replies
View Related
Jan 11, 2010
I remember back when I used Windows, there was a shell command call "net view", which would allow me to see all the other users on my wireless net.
Is there any command or application that can do this? I dont mind if it is a terminal command either, but I would really like to know a way that I could see other users on my network.
View 3 Replies
View Related
May 6, 2010
I am on ubuntu server and its joined to an W3k Domain thru winbind/samba. However everything works fine and Windows and Local users can login to the machine without any problem. However when I wanted to create a local user X and change his password I couldn't. It created the local user X but I could not change the password.
View 1 Replies
View Related
May 15, 2010
This seems like somewhat of a n00b question, but I'm kind of stumped and working on a half a dozen other things at the moment, so I thought I'd go ahead and ask it.
Is there a "correct" way to set up a shared folder between two local users using only EXT4 that will allow both users read & write access to everything in the folder?
Here's my scenario: My wife and I use the same computer. I want two separate user accounts (mine and hers), but I want ~/Music to point to the same location for both users so that I don't have to duplicate all of the files.
Too protect the innocent, I'll use Jack and Jill.
So say Jack downloads or rips an album:
"/home/jack/Music/Radiohead/Ok Computer"
I want Jill to be able to able to create a folder:
"/home/jill/Music/Radiohead/Hail To The Theif"
I know the basics of symlinks so I can get /home/jack/Music and /home/jill/Music to point to the same place. I also have Jack & Jill in the same group.
The problem I'm having with my test setup is when Jack creates "/home/jack/Radiohead", it is set up to where Jill can read, but not write. So she can play songs from Ok Computer, but if she wants to download Kid A, she has to go in and manually change the permissions on Radiohead first.
Also, while I might set up multiple directories this way, what I DON'T want is for Jack to be able to modify /home/jill/otherdir where otherdir is just a regular directory set up with default permissions.
Oh, and as an added bonus, it would be nice to set up another account (i.e. a "guest") with limited permissions that can read, but not write/modify.
View 5 Replies
View Related
Feb 7, 2011
I have an RHEL 5.3 system where NIS logins are working perfectly, but authentication doesn't seem to be working for non-root local users. I can't login either remotely or at the console with a local user, and I can't even su to them unless I'm doing so from root (i.e. when no password is required).
I've reset the password, I've deleted and recreated the user, and nothing. nsswitch.conf does have "files" listed as part of the config, which was really the main place I'd have assumed the issue could be. su gives "incorrect password", and ssh gives "userauth failure". /var/log/secure shows "su: pam_listfile(su:auth): Refused user <username> for service su", and same for the ssh attempts (with ssh in for su, of course). I've reviewed my pam.d files, and they seem to be the same as on a working machine, but I'm not 100% conversant with pam so I might be missing something.
View 1 Replies
View Related
Dec 3, 2010
I'm using vsftpd as my FTP server. I have set it up so I can access my home directory via FTP, requiring my login.
But I want to make a folder in my documents (or anywhere really), which only my colleague can access. But I don't want to make a local Ubuntu user account. He just needs to be able to send files to this folder, connecting remotely, using his own login details.
View 3 Replies
View Related
Mar 1, 2011
I have a mail server running Postfix and the problem I'm running into is that when trying to send mail, I get a "relay access denied" error.Inside my main.cf, I did not specify 'smtpd_recipient_restrictions' so by default, the variable is:
Code:
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
The 'mynetworks' variable looks like this:
[code]....
View 3 Replies
View Related
Jul 16, 2011
I have installed ubuntu 11.04 recently.. how can i connect ubuntu with other windows users in a local network...
View 1 Replies
View Related
Apr 8, 2010
This one made me scratch my head for a very long time
I want to give access to the sound device to all local users.
Currently only the user currently using the X11 system and root are able to use the sound hardware.
So it appears it's a problem of permissions but I couldn't figure where ...
View 2 Replies
View Related
May 6, 2010
I am on ubuntu server and its joined to an W3k Domain thru winbind/samba. However everything works fine and Windows and Local users can login to the machine without any problem. However when I wanted to create a local user X and change his password I couldn'tIt created the local user X but I could not change the password. Here are the outputs:
Pam configs:
Common-account:
account sufficient pam_winbind.so
[code]...
View 2 Replies
View Related
Oct 5, 2010
"Merging" may not be quite the right word but that is the desired end result.
Scenario: many Solaris 10 servers, each with various local users. We want to set up LDAP for all for all of them. LDAP server is set up, procedure for getting other servers to use it for user authentication is documented and tested. The question is how to handle users that are in LDAP who also exist as a local user on a given machine.
It appears that the usernames on both sides follow a convention and therefore match but obviously the userids will not match. Local user joe has userid 1234, LDAP user joe has userid 56789.
The way I see it we'll have to:
1. move local user joe's home directory to the path that LDAP user joe will want
2. change local user joe's userid to that of LDAP user joe
3. change joe's files' owner to his new userid
4. remove local user joe
5. finally configure LDAP
Is this a rational procedure? Is there a more effective method? I'm not looking forward to this as there are many servers and each of them have a different set of local users, each with different userids which will have to be handled manually and individually therefore not even scriptable much.
View 1 Replies
View Related
Jul 24, 2010
I would like to experiment a "green" idea of virtual desktop where multiple users are served by a single powerful machine.
I have a server running 24/7. The monitor of this machine is turned off most of the time and the OS is on the login screen.
Other users, in the same local network, use less powerful machines, which could be a thin client or an old Pentium 3 machine. They access their accounts remotely and work with the GUI as if they were sitting in front of the server. Each user sees their own desktop (different themes, screen resolution, etc.). And of course it can happen that several users could log in at the same time.
The usage is modest: mostly web browsing and the usual default applications (office, wine, gimp, etc.). In particular no games or any demanding applications. The users want to use their desktop in graphical mode only.
Question: How do we call this way of using a server? Is it possible with Ubuntu? And how to implement it?
View 3 Replies
View Related
Nov 1, 2009
I have some typical issue while trying to connect to my root or other users from my terminal.
like su - asking for password and after that it displyed a message like $su -
Password: could not open session
I tried connect using ssh then I am getting the following $ssh root@localhost Last login: Sun Nov 1 14:13:45 2009 from localhost Connection to localhost closed.
Background: Before this happended, I was tryied modify sshd_config in /etc/ssh/ folder to allow passwords less than 2 words.
View 1 Replies
View Related
Mar 26, 2010
I have the following problem and tried (almost) anything to fix it but without a full success.
We're running a server with CentOS 5.4. Every night a logwatch report is send. These mails are rejected by our mailserver because some invalid details. These mails are send to local user root which is redirected to another external mail address with /etc/aliases.
At first the mail was send from root@localhost.localdomain to root@localhost.localdomain. As you can imagine, our mailserver rejected this because the localhost.localdomain parts. So I changed the sendmail config with these options:
Code:
dnl EXPOSED_USER(`root')dnl
FEATURE(masquerade_envelope)
MASQUERADE_AS(`domainA.com')
MASQUERADE_DOMAIN(`localhost.localdomain')
MASQUERADE_DOMAIN(`slave02.domainA.com')
This solved my problem partially: Mail is now coming from root@domainA.com (which is OK), but is send to root@slave02.domainA.com (slave02 is the local hostname), which is not OK. I tried everything I could find to change that last part to, but nothing seems to work.
View 4 Replies
View Related
Nov 25, 2010
Is this possible to make groups members of a group (the same way aliases work for the mailing system). If not is there a painless way to make all my nis users members of more than one local groups? Maybe set this on the nis side and not per machine setup?
View 1 Replies
View Related
Sep 22, 2010
I installed sendmail in RHEL5.4 with TrendMicro Spam scan engine. The configuration like sendmail should forward all the mails to scan engine after scanning it will deliver it to the mail domains. same way all the mails coming from external servers are scanned and the delivered to local box. My problem is when i sent mail for local users its delivered locally. but when i sending mail for external like yahoo its going through scan engine. I added the smarthost in sendmail.mc file also.
View 1 Replies
View Related
Mar 18, 2010
I'm trying to configure vsftpd to just allow my local users to login and be confined to their home directory (and its sub-directories).
Here is my vsftpd.conf:
listen=YES
anonymous_enable=NO
local_enable=YES
[Code].....
I've tried multiple configurations to no avail. I always end up with this same end result.
View 3 Replies
View Related
Mar 24, 2011
I did search the forum but didn't find an answer.
I have setup Postfix + Dovecot on my basic debian 5 server. If I send a message to a localuser@mydomain.com from mutt, it delivers just fine and is visible when viewed through squirrelmail, I can also send just fine.
My issue is that irrespective of what options I set in main.cf, I cannot for the life of me get Postfix to stop erroring with "Recipient address rejected: User unknown in virtual alias table". I'm stumped.
My main.cf is as follows code...
I do not want to setup virtual hosting with MySQL or similar, I literally want to receive mail in local users mailboxes for a single domain. Any ideas on what's missing?
View 1 Replies
View Related
Apr 21, 2010
I found 2 previous posts, one from 2005 and one from 2006. The 2005 post was not very helpful and the 2006 threads are not exactly what I was expecting. So I wanted to ask the question to be sure. I have already stood up the new fedora 12 server. The old server is also fedora 12. I need to migrate local users and sendmail mailboxes. In the past couple of years the environment was small enough to create a copy of the users and then have the users mail themselves, but I want to start migrating users/mailboxes properly.
On a unix level I am a jr admin, but I have extensive senior level experience as a windows engineer and network engineer. I do feel comfortable with using the unix command line, but usually operate the unix systems thru webmin because I am not familular with more complex commands. Ideally a software solution to migrate users and/or mailboxes from one server to another is what I am looking for, but in leiu of a software solution I still need to migrate user accounts and their mailboxes. LDAP is not in place, but if the process becomes easier with LDAP I am willing to do what is needed to set up LDAP. (I have no previous experience setting up LDAP)
I do not want to change my mail server from sendmail to different software. At least right now. Both systems are up and running. They can connect to each other via public ipv4 address' only. The new server has already been installed and configured with all the software to match the old server. How do I migrate users and sendmail mailboxes from one fedora 12 server to another fedora 12 server?
View 3 Replies
View Related
