M. Fioretti
2006-Jun-14 16:56 UTC
[CentOS] How to create a secure user only for ssh login?
Hello, I've read on several howtos that one way to make ssh more secure, or at least reduce the damage if somebody breaks in, is to NOT allow direct ssh login from root, but allow logins from another user. So you have to know two passwords in order to do any real damage. Does this make sense? IF yes, what is the right way to create an user only for this purpose, that is one that can only login to give me a local prompt to become root, but has no privilege, no possibility to create files, or do anything at all? TIA, Marco -- Marco Fioretti mfioretti, at the server mclink.it Fedora Core 3 for low memory http://www.rule-project.org/ Don't you wish you had more energy... or less ambition?
Les Mikesell
2006-Jun-14 17:38 UTC
[CentOS] How to create a secure user only for ssh login?
On Wed, 2006-06-14 at 18:56 +0200, M. Fioretti wrote:> I've read on several howtos that one way to make ssh more secure, or > at least reduce the damage if somebody breaks in, is to NOT allow > direct ssh login from root, but allow logins from another user. So you > have to know two passwords in order to do any real damage. > > Does this make sense? IF yes, what is the right way to create an user > only for this purpose, that is one that can only login to give me a > local prompt to become root, but has no privilege, no possibility to > create files, or do anything at all?Normally you would want people to use their own account for the initial login - and to use good passwords so a dictionary attack isn't likely to work. -- Les Mikesell lesmikesell at gmail.com
King, John (Greg) (LMIT-HOU)
2006-Jun-14 17:40 UTC
[CentOS] How to create a secure user only for ssh login?
One way is the wheel group in /etc/group. Uncomment the following line in /etc/pam.d/su: auth required /lib/security/$ISA/pam_wheel.so use_uid Uncommenting this line allows only the users in the wheel group to become root by using the su command and entering the root password. All other users will receive a message stating the password is incorrect. You will also want to create the wheel group in /etc/group and add users to it if it does not exist (CentOS 4 I know does but some older redhat implementations did not if I recall correctly). I am unsure of how this interacts with sudo though. If you allow users to use sudo command, make sure they cannot 'sudo su root'. -Greg> -----Original Message----- > From: centos-bounces at centos.org > [mailto:centos-bounces at centos.org] On Behalf Of M. Fioretti > Sent: Wednesday, June 14, 2006 11:57 AM > To: centos at centos.org > Subject: [CentOS] How to create a secure user only for ssh login? > > Hello, > > I've read on several howtos that one way to make ssh more secure, or > at least reduce the damage if somebody breaks in, is to NOT allow > direct ssh login from root, but allow logins from another user. So you > have to know two passwords in order to do any real damage. > > Does this make sense? IF yes, what is the right way to create an user > only for this purpose, that is one that can only login to give me a > local prompt to become root, but has no privilege, no possibility to > create files, or do anything at all? > > TIA, > Marco > > -- > Marco Fioretti mfioretti, at the server mclink.it > Fedora Core 3 for low memory http://www.rule-project.org/ > > Don't you wish you had more energy... or less ambition? > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >
King, John (Greg) (LMIT-HOU)
2006-Jun-14 19:24 UTC
[CentOS] How to create a secure user only for ssh login?
> > (must I)/can I reduce as much as possible the privileges/access rights > of the my_aux_login account? so that if somebody breaks _its_ > password, it won't be able to do anything, including browsing around > to see what's installed?Ah. I think I have a clearer idea on what your wanting to do now. You may want to look at SELinux (Comes with CentOS 4 but may either be enabled,set to warn or disabled depending on how it was installed). I have yet had time to understand the SELinux mechanism but I recall a discussion where the person used SELinux to reconfigure what the root account could do, left the console logged in and asked people to break into the system using the root account. If SELinux can be used to change how root behaves it should be able to do the same with non-root accounts. Anyhow here are some links I found that may help. http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guid e/rhlcommon-section-0047.html http://danwalsh.livejournal.com/1538.html http://www.nsa.gov/selinux/ -Greg