I am using Red Hat and was wondering how to disable username and password only login and require that a PPK secure key file be used for authentication ? I can log in using the secure private key and the public key that is in ~/.ssh/authorized_keys but i can still log in using the plain username and password login.
we are trying to make a policy decision whether to go with SSH user/passwd or PPK secure key ? our servers are hosted remotely by a hosting service. we were wondering which of these two models are more secure.e.g. i would tend to think that user/passwd with account lockouts upon failed attempts would be more secure because the other option exposes your server in case someone sneaks the PPK file or steals your whole computer.however, what makes me doubt myself is that Amazon Web Services EC2 cloud hosting uses PPK by default (although an instance's SSH config can be change to accommodate logging in but they don't endorse it).
In our group we use NIS and have a group set up called netadmin which is given root privileges on each machine. Each machine also has a localuser called localuser created and used during installation. When logged in as a member of netadmin, attempting any action that requires root privileges (e.g. installing software in Ubuntu Software Center) results in a prompt asking for localuser's password, not the current user's password.
Does anyone know the cause? Configuration issue or Ubuntu issue? We can get around it.
Is it possible to log in secure shell (openssh ) using a username and password which is not present in "/etc/passwd" .The shell created after authentication should be owned by the logged in user . Is it possible to store the user infromation like uid , gid , home dir , shell in some remote machine instead of /etc/passwd and then retrive the these these information when a session is created for the logged in user .
we know that /etc/passwd - is a replica of /etc/passwd file and acts as a backup in any damage done to /etc/passwd file..i have observed a strange thing in RHEL 5.4....for example... if /etc/passwd has 100 accounts.. then /etc/passwd - is having only 99 accounts....when i add 101 useraccount with "useradd" then /etc/passwd has 101 accounts and /etc/passwd is having the 100th account of /etc/passwd - ..when i delete /etc/passwd and recover it with /etc/passwd - from runlevel 1 the lastly created user is not having his account after recovery.. what is the solution? this is same case even with /etc/shadow and /etc/shadow -
perform below activities please guide how to do perform below activities.Make sure the Guest account is disabled or deleted.-Disabled or deleted anonymous accessSet stronger UserID policiesSet Key Sensitive UserID Default enable in linuxCombination of numbers, letters and special characters (*,!,#,$,etc.)
I'm an Oracle DBA and started working for my current employer about 4 months ago. This past weekend an alert re: FS space brought my attention to /var/spool/clientmqueue (full of mail re: cron jobs) and the fact that sendmail is not running on our Linux servers.I'm told that the IT security team deemed sendmail too vulnerable so we don't run it.Aside from FS filling up and missing notification of issues with crontab entries, I'm concerned that we may be missing notification of potential issues. In other Unix/Linux environments I've seen emails from the print daemon when it experienced problems with specific jobs.
Are there other Linux facilities aside from cron and lpd that use email to advise the users of possible issues? Are there ways to secure sendmail or secure alternatives to sendmail? My primary need/desire is to make sure that emails regarding issues on the server get to the appropriate users. Secondary goal would be to have the ability to use mailx to send mail out. There is No need/desire to receive mail from outside.
I'm seeing really bad user login format under a standard installation and am wondering why ubuntu does this as default. I have noticed that the graphical login for gnome sizes itself to accommodate a user's exact password length. This indicates to me that somewhere on the unencrypted part of a standard installation with user encryption contains at least some indication of the content of the password length which seems a security flaw even if not a complete hole, it majorly reduces the number of attempts a cracker would have to cycle through.
And that's assuming that *only* the length is contained. Furthermore it seems that it would be MUCH better to simply display the number of characters entered into the pw field and allowing the gui to expand itself from an fixed size as the field is filled out so the the user still receives visual feedback for entering characters. Either a simple character count display should be entered into the field or a 10 dot to new line so that one can visually quickly count the number enter by multiplying from a 10base graphical observation.
I'm running a server using CentOS 5 x64 I want to disable access of groups to "bin" folder so they cannot execute commands. [info: actually because of a bug in cPanel (the control panel I installed) Perl will give access to all hosting users to execute commands.] so what i wanna do is to ban some groups on 'bin' folder, for example 'my_group1' and 'my_group2" cannot access bin but 'my_trusted_group' can access it.
I'm running a server using ubuntu 10.04 x64. I want to disable access of groups to "bin" folder so they cannot execute commands. [info: actually because of a bug in cPanel (the control panel I installed) Perl will give access to all hosting users to execute commands.] So what I wanna do is to ban some groups on 'bin' folder, for example 'my_group1' and 'my_group2" cannot access bin but 'my_trusted_group' can access it. How is it possible?
My case is that, the LADP user connected could not login via SSH. This user could login in the system console. And all the other users could login within ssh. And I was wondering whether any one could suggest which place to check next. And here is the detail: I was using SUSE 11.3 when I met this error. PAM module is used, and the corresponding files in /etc/pam.d/ have all been updated. Here is what I've added:
I am a new Linux user and have a question about the administrative authentication. When I am logged in as a user and I need to do something that requires root privileges the little password window comes up and I enter the root password. My question is how long are the root privileges granted for?I noticed that a few minutes after finishing checking out the firewall configuration tool and closing the window that I was still able to re-enter the fire wall tool and other administrative tools. How do I log out of the root privileges without logging out and then back into my account?
I recently set up a family computer for a friend, and now his son is "experimenting" with the terminal (randomly entering commands). since he could accidentally do something bad, I am supposed to prevent him from using terminals, but only as hi user. I tried vlock and away, but with vlock it says 'this terminal is not a virtual console', and away can't seem to lock all consoles.
Second off, I'm trying to capture a user password on login (through gdm) such that I can re-use it for a service like Kerberos or AFS. The idea is that the user has to log in only once, and then I renew the tickets and tokens until they log out again. If there's a better way to do this
I am trying to disable accounts after 5 unsuccessful login attempts. I am following the guidelines in this article:
This is on an Oracle Enterprise 5.4 box, which is essentially RHEL 5.4 Here is what my /etc/pam.d/system-auth looks like:
-------- #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run.
Unfortunately, the account does not seem to be locked or disabled. As root, runninng 'su test2 -c <some-command>' always sucessfully runs <some-command>, and leaves the failed attempt count at 6. /etc/shadow does not have an * or ! anywhere in the encrypted password for the 'test1' user.
What am I doing wrong? I thought that with the max attempts set to 0 in faillog, that the deny= parameter would be used. I thought I should be using su <user> -c <command> from the root account to test if the disable feature is working.
I have a problem with my ubuntu account. I am running 4 virtual machines, based on jeos-8.04 and I am using a public key authentication to login to my account (via ssh). This is not the problem, I have the key and the passphrase. But when I am logged in, I can't sudo, because I forgot the password for the accout.
I get the problem to acess root password when i am in user login, means wahen i am in user login and want to install software from terminal then he asked root password, when i supplied root password but he give me login incorrect.
while hardening a red hat enterprise 5 installation I have done something that causes the sessions of all user accounts except root to close immediately after authentication. in the /var/log/secure log file it will show three log entries per attempt:
<date/time><hostname> login: pam_unix(login:session): session opened for user fred by LOGIN(uid=0) <date/time><hostname> login: LOGIN ON tty1 BY fred <date/time><hostname> login: pam_unix(login:session): session closed for user fred
Since I did a number of things and have not been able to identify what caused this.
My goal is this: Allow a user to connect to a server via SSH with any login name or password without checking to see if that account exists on that server. Their account would be captured by a universal account say, 'generic_user', and then they would be directed to one of my python scripts with the username and password they supplied for initial login. At this point my script would capture their SSHD process ID and allow/deny their existence based upon a MySQL/Subscription check.
The part I'm having trouble with is with PAM and allowing the user to login with any credentials and be successfully authenticated under the generic account. Beyond that, everything is great.
All servers mentioned below run OpenSuSE, either 10 or 11.I am currently working on a few scripts that are meant to be used as part of a continuous integration setup. I am trying to keep these scripts reasonably secure, and so I have made sure that all the servers run these scripts only as a specific user (user1) that has permissions to basically nothing else. The problem I am currently running into is that I need to start and stop tomcat as user1 but this user doesn't have permissions to the tomcat rectory (only tomcat has execute permissions). I have a temporary workaround in place while I work on the scripts (I have an SSH key in place that allows me to SSH from user1o tomcat without a password and execute my commands that way) but it is not very secure. I have tried adding the following line to /etc/sudoers:
Code: tomcat localhost = NOPASSWD: /opt/tomcat/bin/startup.sh, /opt/tomcat/bin/shutdown.sh but it doesn't work as I expected it to. I tried a few different syntaxes for that line,