LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices



Reply
 
Search this Thread
Old 02-10-2010, 08:55 AM   #1
unix1adm
Member
 
Registered: Oct 2008
Posts: 627

Rep: Reputation: 30
question about securing root


I have been doing some reading and some playing around.
I want to lock root down to only the console and not allow direct logins.

However is I modify the sshd_config and changed this line...
PermitRootLogin no

It works as expected. No ssh root logins allowed.

However in my AIX environment I have a "master server" that I use to ssh to all my systems with keys and if I turn this off on the Linux box it disables this function.

I messed with
PermitRootLogin without-password

This works but I was also reading up on
pam_access module.

So my question how secure is the PermitRootLogin without-password
vs
pam_access

and is it hard to set up the pam stuff? I am still reading up on it. But thought I would ask.

Last edited by unix1adm; 02-10-2010 at 08:56 AM.
 
Old 02-10-2010, 09:37 AM   #2
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
I don't understand why disabling root logins would not allow regular logins. Could you explain how the "master server" works in regard to making ssh connections?

On a Linux or BSD system, read the /etc/ssh/sshd_config file. Pay attention to the comments above the UsePAM Yes line.
You can use PAM for session control but use public key authentication.
Code:
# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and          
# PasswordAuthentication.  Depending on your PAM configuration,       
# PAM authentication via ChallengeResponseAuthentication may bypass   
# the setting of "PermitRootLogin without-password".                  
# If you just want the PAM account and session checks to run without  
# PAM authentication, then enable this but set PasswordAuthentication 
# and ChallengeResponseAuthentication to 'no'.                        
UsePAM yes
I've never allowed root logins on my system. I think that without-password mean the same thing as "PasswordAuthentication no" but only for root. I think that a general "PasswordAuthentication no" would suffice but "PermitRootLogins without-password" allows you to configure root for public key authentication but allow password authentication for regular users.

If you must have root logins, pubkey authentication that you have now would be best.

How are regular user ssh logins handled?

Last edited by jschiwal; 02-10-2010 at 10:00 AM.
 
Old 02-10-2010, 10:43 AM   #3
unix1adm
Member
 
Registered: Oct 2008
Posts: 627

Original Poster
Rep: Reputation: 30
Disabling root longs prevents us (not regular users) from using out "master" as a jumping off point. It will not allow root to ssh from that system.

My master server is an AIX system that is setup as a jumping off point for all my systems. We use it to build all our other AIX system using nim so ssh keys are in place and root can just ssh over from it to any system.

As for regular users they ssh in using putty or ssh command from a U/Linux box. Password is required as it should be.
 
Old 02-10-2010, 11:37 AM   #4
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
You share the same private key for all of your servers? Using keys instead of passwords is a good idea, but sharing private keys isn't IMHO. Compromise one server and you have keys for all of them.

In an apartment building I used to live in, an employee of the company managing a number of apartment buildings lost the master key. They didn't want to trouble themselves with having a separate master key for each building and had to replace the locks of all of the apartments in all of the buildings. It cost them $60,000.

Maybe you should provide your sshd_config file. Do the AIX servers use openssh or a commercial product?
If it is openssh (which is bsd) then you could use one of the other servers sshd_config file as a model. Since they use public key authentication. Is there a difference in the Master in how AIX servers are reached versus your Linux host?

It seems to me that if you use public key authentication for root, but allow password authentication for regular users, then you need the "AllowRootLogins --without-password" to prevent challenge/response authentication. Is the Linux host configured to allow root password authentication?

If you know that ssh only comes from the "master" you can lock down from which machine to allow ssh logins.
If only a small number of users are allowed to log in, I would use "AllowUsers" to prevent login attempts from other users or attempts against system users.

Using a from="IP or Host List" in authorized_keys can prevent attempts from unauthorized locations. A person with a stolen key will need to try logging in from a machine with an authorized domain name or IP address. See "man sshd" for info on this. An example from the manpage:
from="*.sales.example.net,!pc.sales.example.net" ssh-rsa

Is the problem at the "master" or refusal to connect at the Linux box? Can you run "ssh -vv" to provide verbose feedback? Is the Linux host using the host key or the key in /root/.ssh/? The verbose debug information should say. It may provide information on why exactly logins fail. Also check the logs you have for the kernel, security, warnings in /var/log/.

Last edited by jschiwal; 02-10-2010 at 11:50 AM.
 
Old 02-11-2010, 03:44 PM   #5
unix1adm
Member
 
Registered: Oct 2008
Posts: 627

Original Poster
Rep: Reputation: 30
We do not share the private key for root. Just the public one.

ie:
aix master server call it AM
Aix client will be client AC
Linux will be LC

I ssh to AM login with my uid then su- root.
I can now ssh (openssh) to any AC system without being asked for a password (keys in place)
If I try to ssh from AM to LC with the PermitRootLogin = no in the sshd_config file I get asked for a pasword. If I supply the password it still wont let me in.

Now if I try to do the same thing with PermitRootLogin=yes I can ssh in as usual like AIx systems do.

If I use the PermitRootLogin without-password I can login like before.

My users all ssh over from putty fine.

What I am trying to learn about is using the pam_access module instead of the PermitRootLogin without-password.

is it more secure than the above method in ssh?

I was reading this link:
http://www.puschitz.com/SecuringLinu...SharedAccounts

Last edited by unix1adm; 02-11-2010 at 03:53 PM.
 
Old 02-11-2010, 08:44 PM   #6
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.6, Centos 5.10
Posts: 16,324

Rep: Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041
You should (normally) disable root login from ssh. If you want to lock it down to root only able to access from the console edit this file http://linux.die.net/man/5/access.conf
 
Old 02-12-2010, 10:36 AM   #7
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
I thought you were replicating both key pairs when you created an AIX server from the master.

Do you have the public keys for the Linux servers installed in the AM server? I'm guessing that the root user has copies of the public keys for other servers.

For the Linux server (LC)
Check which key pair is used for root logins. The ones in /root/.ssh/ or the host keys in /etc/ssh/. I'm not actually certain. The public key may need to be modified after installation so the correct host name is listed in the end.

If you need to allow root logins to LC, using PermitRootLogin without-password would be more secure. Root is a known user and an attacker can deploy a dictionary attack against it. As I understand it "PermitRootLogin without-password" uses public key authentication for the root user. It is my guess it is for a situation like yours where regular users don't use public key authentication. One disadvantage of public key ssh authentication in my opinion is that while the clients private key can be protected with a strong passphrase, this policy may not be enforceable.

At home I use pubkey authentication and don't allow root logins. If I need to do something remotely as root, I will use sudo or su after logging in as a regular user. Public key authentication can be used with putty, but the keypairs may not be secure in Windows.

Maybe your question should be if allowing root logins with pubkey authentication is safer than having a user who is a member of the %wheel group log in with username/password credentials, which can be guessed, but for which a password strength measurement can be employed. In your case, only allowing root logins from the AM server helps, compared to having logins from a laptop which can be lost or stolen. I think that if you want to improve security for the Linux server, you should lock down the times and places that root logins are allowed. This will help protect against a admin who knows the root password from stealing the private key for AM.

The best option may be to use public key authentication for everyone. There is still the lost private key problem, but online attacks are eliminated.

Last edited by jschiwal; 02-12-2010 at 11:02 AM.
 
Old 02-15-2010, 08:57 AM   #8
unix1adm
Member
 
Registered: Oct 2008
Posts: 627

Original Poster
Rep: Reputation: 30
Thank you jscihwal for the good info.

If I remove (lets just use my account) my user id from the wheel group then I wont be able to su or sudo to root right?

From what I have read I have to be a member of the wheel group to do root functions.
Root should never login to our system AIX or Linux directly unless on the console (in a secure location). Usually we login with our UID then su to root unless there is something that prevents us then and only then would we use console access.

Can you clue me in on this statement:
"The best option may be to use public key authentication for everyone. There is still the lost private key problem, but online attacks are eliminated."

May be I am missing something but I really dont want users to login without a password.
If their Laptop is stolen etc then its easier for someone to get into the system. Of course they have to bypass the encrypted drive and then get on the vpn or network etc.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Securing FTP, chroot... Not the same old question! s2cuts Linux - Server 2 08-09-2008 03:19 PM
How to :: Securing SSH: protocol SSH2 and hiding the direct access of root sysconfig Red Hat 3 09-07-2006 09:30 AM
root question manicman Linux - Newbie 2 11-03-2005 05:20 AM
root question spuppett Linux - General 4 03-01-2003 06:18 PM
Securing root access vcheah Linux - Security 6 12-23-2001 04:03 PM


All times are GMT -5. The time now is 12:26 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration