Ubuntu Security :: Setting Up Keys For Ssh For Multiple Users?
Jan 30, 2011
Ubuntu 10.10 Server is loaded. Openssh has been loaded.
I have multiple users which need access to server via ssh.
My impression from reading about ssh is that a key needs generated for each person. Thus, each key will have a passphrase that is unique to them.
In /etc/ssh/sshd_config, the default sshd_config suggest using:
%h/.ssh/authorized_keys
My assumption is %h is a variable that will allow the current user to use the public key stored in his home directory under the .ssh folder in a file called authorized_keys. Is their a command string that automatically populates the authorized_keys file?
I am surprised that even though there are a number of hidden (e.g. .****) files located in the home folder, there is not one automatically generated as .ssh. It appears I have to create that directory myself. I am especially surprised by this since it appears the instructions for generating a key seems to load the key in the home directory instead of proceeding to create a .ssh folder to store the keys in.
It is not clear, but it appears that the public key needs to be copied or appended to the authorized_keys file, but, using the scheme above, the public key needs to be copied or appended to each users authorized_keys file instead of appending all public keys to a single authorized_keys location.
It then appears that each persons authorized_keys file needs permissions set to 600.
It also appears that if I decide to use RSA instead of DSA, I would do the same thing above but would use authorized_keys2 file instead.
Why doesn't the home folder which gets automatically set up for each user automatically get a .ssh folder generated? i.e Why does it have to be created by hand? Does it need the same permission on the .ssh folder? ie 600?
My aim is to allow many to log on via ssh simultaneously and then allow many to simultaneously vnc into their respective gnome desktops.
View 6 Replies
ADVERTISEMENT
Dec 22, 2009
setting up multiple (2-3) FTP users on Ubuntu Server 9.04 I currently only have ONE FTP user, but I need to have 2.
View 1 Replies
View Related
Mar 16, 2011
I am trying to lock down a server using audit.rules. I intend to use ausearch to review certain entries from time to time. I noticed that it's possible to assign a "key" to each rule and then use `ausearch -k` to show only the records that have that key.Unfortunately, the key feature seems broken. I started with the following rule in audit.rules:
Code:
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -k deny
I do a `cat /etc/shadow` and a `ausearch -ts today -k deny` and it seems all went well.
[code]....
View 8 Replies
View Related
Mar 26, 2010
At the moment we have one SSH server with the private key being on a usb flash drive, and the public key being on the server in authorized_keys2. Now that three more servers are coming online, should we generate new keys, so we have muliple private and public keys (one pair for each server), or use the same two keys to access all the servers
View 5 Replies
View Related
Feb 25, 2010
I'm having trouble breaking down permissions in linux. Here's the scenario. I have two users: UserA & UserB with each having to ownership and access to directories myDirA and myDirB respectively.
UserA --> /source/myDirA
UserB --> /source/myDirB
I need to set the permissions so that userA can access myDirA and myDirB. There are other users and directories but they should not be able to view outside of their own directories (which is the way it is now). I don't have groups set up for them and I'd rather not change anything else but just the permissions.
rwxr_x_r_x UserA
rwxr_x_r_x UserB
They're read/write/exec permissions are identical.
View 14 Replies
View Related
Nov 26, 2010
I am searching for a way to have multiple sessions or users on the same vnc server. I have a machine that I need to remotely access as root (for admin purposes) and as myself (as the normal user) the rest of the time. I probably will never have to remotely login at the same time as both root and myself (I am not that multitasking!)I searched the web for almost 1 hour without finding anything useful... Right now my /etc/rc.d/rc.vncservers.conf looks like:
[code].....
View 2 Replies
View Related
Oct 12, 2010
is that possible to have multiple users for one linux session? and how can i do that ? it's possible to creat virtual users for a session ?
View 2 Replies
View Related
Feb 16, 2010
how to lock down individual users from setting a proxy server. Its a server not a WS so it should never go to the internet. I want to lock down the system side and firefox 5 settings.
View 14 Replies
View Related
Nov 2, 2010
I have a remote directory shared over NFS called tech with perms set as 0750 and owner set to root:tech. I have 2 groups: tech, and techAdmin. tech can read and execute within tech/. techAdmin can read, write, execute. I have 4 users: user1, user2, user3, user4. user1 and user2 is a member of techAdmin, user3 and user4 are members of tech. simple so far...but wait here's the problem. If user1 creates a file inside tech, user2 cant read or modify it because user1 owns it. Here's a few sites that reference this problem:
[code]....
View 4 Replies
View Related
Jun 7, 2011
I am not very security minded...I'm aware of it, and always made sure I had up-to-date overall protection in Windows but firewalls, and the blasted passwords are largely a thorn in my side!When I got my iPhone last year I suddenly discovered password managers & "wallets" to keep all that kind of information in and syncable across different devices. My life got so much easier. Of course now I need to figure out encryption keys, and how they work (I'm clueless). I also need to find a program or system that I can move my existing low-tech info (mailnly user name & passwords) that will also accomodate the increased needs of Ubuntu security and still be sync-able. I started a little research weeks ago, but my current "wallet" only exports .csv so I quit since I'm going to have to do a lot of data entry whatever I go with.So here goes:
1) what is the difference (bare bones) between using an encryption key (e.k.) vs. a standard user created password? what situations are better suited for e.k.?
2) I have seahorse (default intall with Ubuntu I guess) but the only thing in it is Login under passwords which leads to a login keyring (?) and a drop-down list of about 6-10 of the gazillon passwords I use daily. The other tabs are for keys which I don't have any concept of.
3) I know FF also "remembers" user id & passwords as you choose to have it do so. Is that information transferable into seahorse or another program?
4)I'm also (today) getting ready to really set up my system for user names & security across my little home network. How can I integrate that into whichever program/app I go with to store my pwds and keys?
5)give me links to fairly current documentation on this stuff?
6) Any program/app recommendations.Pros/cons uses, what they can & can't do or be used for, etc.
View 9 Replies
View Related
Nov 1, 2010
We are trying to set up a classroom training environment where our SIG can hold classes for prospective converts from Microsoft/Mac. The ten machines will have /home/student01..10 and /home/linsig01..10 as users. We want /home/student01 to be able to explore and sudo so they can learn to administer their personal machines at home. We don't want them to be able to modify (sudo) /home/linsig01. I've seen the tutorial on Access Control Lists but I'd like other input so we get it right the first time.
View 3 Replies
View Related
Jan 2, 2010
Im a total beginner when it comes cryptography and networking. Finally managed to create a connection with OpenVPN on Ubuntu to a vpn provider called ivacy. On this page:http://ivacy.com/en/doc/user/setup/winxp_openvpn they give configuration files and keys, which I used. The question is, if someone wanted to see my network traffic, could they do it using the keys provided on that page. Reading the OpenVPN documentation i saw that it is also possible to create your own keys. Would that be more secure?
View 10 Replies
View Related
Jan 15, 2010
finishing ultimate debian fluxbox chromium mini distroand need to configure fluxbox keys like Crunchbang's conkyrc belowHow exactly do i do it without messing something up?
Code:
##############################################
# Output
##############################################
[code]....
View 1 Replies
View Related
Aug 7, 2010
I was trying to sign my Ubuntu Conduct Agreement with the key I created for luanchpad. I have one other key that is used for my private folder. While using pgp --clearsign to sign my agreement it kept using the first key I created for my private folder. My work around was to create an email and then copy/paste using the correct key. how can I select between multiple keys from the terminal with pgp --clearsign?
View 2 Replies
View Related
Jun 28, 2010
I had my procedure down for setting up the keys on my various machines on my LAN when I was running Fedora9 - I just followed my own notes to set up 'ssh' on one of my machines that I am upgrading to Fedora13 and am finding discrepancies. I used to be able to set files up such that if I am on one machine, I could just ssh to another and I wouldn't be prompted for passwords or passphrases etc. Whatever I did before doesn't work any more (I keep being prompted for passwords/passphrases) - does anyone have a hint to point me in the right direction on how to set up the keys etc. - or what changed from F9 to F13? Also is the handling of ssh keys the same from F9 to F13? Reading the documentation it seems that on my old machines the man page says this:
Code:
<snip> that passphrase will be used to encrypt the private part of this file using 3DES.
Code:
<snip> that passphrase will be used to encrypt the
private part of this file using 128-bit AES...
View 3 Replies
View Related
Mar 9, 2011
I want to ssh, scp, git fetch, etc. without a password. I saw the previous questions, and closed ones regarding this issue, but the suggestion seems to be to use ssh keys. However, after setting up ssh keys, I am still asked for my password (it's not asking for my private key password; it's asking for my login password). How am I supposed to set this up so that it only uses my private key for authentication?
View 2 Replies
View Related
Oct 15, 2010
To avoid having to input a password for the keyring each time I connect to the net via wireless, I enabled the 'Available to all users' option in Network Manager. Now, my question is this. Are the 'users' it refers to just those created on this machine? Would a drive-by be able to use my network without entering the password?
View 3 Replies
View Related
Apr 24, 2010
I'm trying out various windows mgrs and I'd love to be able to preserve certain key mappings...
...but what's REALLY important are the MOUSE KEYS!!!!!!!
I use the mouse left-handed. I can set that in Gnome or KDE easily, but if I go into, say Ratpoison, it's un-set again.
Is there a system-wide (or as close to it as possible) mouse setting?
View 1 Replies
View Related
Jan 13, 2010
I have generated SSH *.pub and *.ppk keys.
Where should I put them so that they are automatically used and available when e.g. issuing an ssh ....
command in Terminal?
View 9 Replies
View Related
May 12, 2010
I have an environment with multiple projects that have a variety of government and commercial sponsors. We have been satisfied to this point with a netapp serving nfs/cifs and keeping a tight reign on nfs exports.Some of these projects have started asking us to provide access restricted sub-folders of the project space based on different groups that contain a user subset of the primary group.
We have a linux machine that serves as a version control front end to the netapp, mounting the project spaces via nfs. People are now mounting their project space via sshfs to this "front end" and sharing the root password of this sshfs client with everyone in their project, in turn creating a security hole to access the so called restricted sub-folders. I know all the obligatory responses referring to irresponsible user behavior but would like to see how others have addressed something like this where user behavior seems out of control.
View 12 Replies
View Related
Feb 6, 2010
I'm having trouble logging in with SSH using RSA keys.
client: Karmic
server: FreeNAS (FreeBSD) ip: 192.168.0.100
I generated RSA keys on Karmic, added the id_rsa.pub to the authorized_keys file on FreeNAS, then removed the id_rsa.pub from Karmic (this is a poorly documented but necessary step I learned).My Karmic username is shawn, FreeNAS username is shawnboy.from Karmic it prompts me for my RSA key passphrase which it should do, but after I enter it, it fails and moves on to prompt me for my password. I know this isn't a FreeNAS forum, but this works perfectly using Putty SSH with RSA keys on Windows XP, so I figure it's more appropriate to ask here than in FreeNAS forums.
View 7 Replies
View Related
Feb 9, 2010
Short description of the difference between GPG and SSH keys?
Also, is it possible to combine the two keys? Meaning I can just use one key for both applications?
View 5 Replies
View Related
Sep 29, 2010
Scenario 1. I am doing this from /home/deploy directory I am trying to set up ssh with github for capistrano deployment. this has been an absolute nightmare. when I do ssh git@github.com as the deploy account I get Permission denied (publickey). so may be the key is not being found, so If I do a ssh-add /home/deploy/.ssh/id_rsa Could not open a connection to your authentication agent. (i did verify that the ssh-agent was running) If I do exec ssh-agent bash and then repeat the ssh-add then the key does get added and I can ssh into github. Now I exit from the ssh connection to my server and ssh back in and I can't ssh into github anymore! Scenario 2 if I login to my remote server and then cd into my .ssh directory and ssh into github then it all works fine I guess there is a problem with locating the key and for some reason the agent isn't funcitoning correctly.
View 2 Replies
View Related
Jul 20, 2011
My primary Ubuntu server has SSH exposed to the internet so I can remotely access it. I have configured OpenSSH to use only RSA key authentication. Each computer I use has a separate RSA key unique to it. I also have a unique RSA key on a USB thumb-drive I carry with me. The purpose of the USB key is for emergencies if I have to access the server from some remote system. The problem is that I may not trust the remote machine (university/public library computer for example).
What I would like to do is have a set of one-time use RSA keys that, after I log in to SSH with them, are removed from the authorized_keys file. This would hopefully keep my system safe even if the remote machine I was using was compromised and had copied my private key and key-logged the password I used to decrypt it. I would like to have these keys be separate from the keys I have for my trusted computers.
View 3 Replies
View Related
Feb 11, 2010
I have enabled ssh key based logins for one of my servers and disabled normal password based logins. It just occurred to me that the public key which I generated on my pc, and uploaded to the servers authorized_keys, may in fact only apply to my local PC / user account. So basically if my system crashes I would have no way to login to the server...? Is it not possible to "share" public keys so other people (PCs / accounts) can use them?
View 3 Replies
View Related
Feb 19, 2010
I've installed the ssh server on my Ubuntu desktop and the very first time I accessed the server from my laptop, it got a message asking me whether to permanently add the key of the server. After I added this, it gave me a message saying that the key had been permanently added. My question is how do I remove this key? I just want to know how to do this because I'm going to disable password based logins and I want to start anew.
View 6 Replies
View Related
Apr 25, 2011
Is there a way that I can set a quota for all new users that get created? I want to limit the hard drive space they get. I don't want to have to keep setting each new users quota either.
I am running Ubuntu 10.4 LTS 64Bit
View 1 Replies
View Related
Jun 1, 2010
What is the easiest way to encrypt plain text content with a password only? I need to encrypt client login information, but I hate dealing with all the unnecessary complexities of Linux's encryption systems.
I know I am going to get a bunch of people telling me how perfect Seahorse and whatever is, but Seahorse and the default /home directly encryption have both given me too many problems when decrypting my information. I prefer to preserve my data rather than using these methods.
View 9 Replies
View Related
Aug 25, 2010
Can i login to my server using my root account and create a public+private key for one of my users and then manually paste it into his authorized_keys file and give him the private key?
The user im giving it to has a chrooted FTP account...
Is it still ok that i used the root account to create it? He is not going to have root access or nothing is he? This is not a security breach in any way is it?
The user doesn't have shell access to create their own so this is the only way i can think of doing it...
Also what access should the user have to their .ssh folder + the authorized_keys file...?
Are they allowed to read the key? What about write?
View 9 Replies
View Related
Sep 8, 2010
I recently upgraded to Ubuntu 10.04. I love the passwords and keys application, but was somewhat surprised at the lack of a context menu in gnome to encrypt a file.
In general, I cannot find how to encrypt files using the keys I generate. Maybe I'm missing something? Probably, I just thought since Ubuntu comes with OOB key generation it would have OOB encryption capabilities.
I've read about seahorse and other ways to ADD encryption, I'm just wondering if ubuntu does it natively. It'd be a good idea to add to brainstorms, right click and encrypt.
View 6 Replies
View Related
