LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 09-21-2011, 09:02 AM   #1
firefiber
LQ Newbie
 
Registered: Sep 2011
Posts: 16

Rep: Reputation: Disabled
Exclamation SSH connections and file/folder permission dilemma.


Okay so, I'm still pretty new to Linux (haven't used a lot of distros extensively).

I put up an SSH server on Ubuntu 10.04 so one of my friends and I could tunnel when we're on public wifi's. It works great.

Here's the problem: say, when I was installing Ubuntu, the user I created was called 'optimus' right. So now there's just one main user, and then the root user, yes? So is it normal for one user to handle multiple connections? 'Cause my friend and I would simultaneously connect at the same time, sometimes. Will that mess anything up?

Also, file/folder permissions: say I create two new users, for my friend and I. The owner of /etc/ssh is optimus, and the group is root. The same is for all the files inside. If I change the owner to root and the group to say, 'admin' (which optimus is a part of, obviously), I can't see the data inside, unless I sudo. Why is that? I've specifically mentioned that optimus is a part of group 'admin', yet I can't access it.

So if I create two new users, what file/folder permission/ownerships will I need to change? The 'AllowUsers' option in the sshd_config file refers to the local users on the server, right?

-Kraven.
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 09-21-2011, 09:16 AM   #2
tekhead2
Member
 
Registered: Apr 2004
Distribution: slackware/FreeBSD/Vector
Posts: 291

Rep: Reputation: 52
I'm glad you've made some headway into the realm of Linux.. there's nothing like the feeling of tunneling through SSH into the wild wild web.

To answer your questions, Yes you can have as many SSH logins for the same user as you want, unless you want to limit them via the configuration. So it doesn't mess anything up to have the same user logged in from several different locations doing different things.

There is one confusion you have concerning the Root user on Ubuntu. Traditional Linux and Unix has an actual user account named Root, however in Ubuntu you only have the one user you created and you have to use the sudo command to elevate that user to the level or Root.

I would like to caution you about file and folder permissions , in particular the ones in the folder /etc this is perhaps the most critical folder on your Linux system, nearly all of your configs and settings are stored there and if you futz with the permissions it is possible for someone to see and edit those files who should not be editing them. The /etc/ssh folder in particular stores the configs for the SSH daemon which is the service that runs the SSH server you and your friend are using.

I imagine you changed the group permissions on it, but not all the permissions. I suggest putting it back to the group root and not changing ANY of the permission on the /etc folder at all.

Is there some specific reasons for wanting to edit the /etc/ssh folder so freely? If your trying to figure out where your login folder is when you SSH into your box it's usually the users home folder which would in your case be located at /home/optimus if your using standard Ubuntu layout.

I suggest reading up on Linux and Unix permissions and how to use the chmod and chown commands to figure out how they work .

Take some time and read over this site http://www.cyberciti.biz/faq/how-lin...missions-work/ the cyberciti.biz site is AWESOME for Linux and BSD howto's ..
 
1 members found this post helpful.
Old 09-21-2011, 10:30 AM   #3
firefiber
LQ Newbie
 
Registered: Sep 2011
Posts: 16

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by tekhead2 View Post
unless you want to limit them via the configuration.
That's the thing: say I want to limit it, how should I go about doing that? Say I don't want anyone connected via SSH to be able to modify any settings, even with the SUDO command. How should I do that? I was thinking maybe I should create a new user, and limit them completely; but once I create a new user, will I have to copy the public keys to the home folder of the new user? Any suggestions?

Quote:
Originally Posted by tekhead2 View Post
I would like to caution you about file and folder permissions , in particular the ones in the folder /etc this is perhaps the most critical folder on your Linux system, nearly all of your configs and settings are stored there and if you futz with the permissions it is possible for someone to see and edit those files who should not be editing them. The /etc/ssh folder in particular stores the configs for the SSH daemon which is the service that runs the SSH server you and your friend are using.
Haha, yeah. I learned about that the hard way! I was messing about with Gentoo (was trying to dual boot Ubuntu and Gentoo) and by mistake messed up the permissions for my ENTIRE Ubuntu partition. Had to wipe it clean and start over. But no, the permissions for my /etc/ssh folder is set to 700 and files are set to 600. The owner is optimus and the group is root. Should I keep it this way? That's the thing: if I add a new user, how can I allow him to be able to access the host keys if the folder is owned by a different user?

Quote:
Originally Posted by tekhead2 View Post
Take some time and read over this site http://www.cyberciti.biz/faq/how-lin...missions-work/ the cyberciti.biz site is AWESOME for Linux and BSD howto's ..
Thanks! I'll check it out. =)

And thanks again for the really quick reply!
 
Old 09-21-2011, 01:37 PM   #4
wpeckham
Member
 
Registered: Apr 2010
Location: USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix
Posts: 774

Rep: Reputation: 173Reputation: 173
permissions

No users need to access the host keys. The ssh daemon does that FOR them.

I think you are complicating things too much. On a normal system running OpenSSH, only root should be able to change the ssh configuration. No one else should own any of its files or folders, they do not NEED that access. Each user has a ~/.ssh folder with their personal keys and settings to which ONLY they should own and have access.

I would recommend using one account per user, but there is nothing magic that forces you: it is just easier to keep track of logged events that way.
 
2 members found this post helpful.
Old 09-21-2011, 03:00 PM   #5
firefiber
LQ Newbie
 
Registered: Sep 2011
Posts: 16

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by wpeckham View Post
No users need to access the host keys. The ssh daemon does that FOR them.

I think you are complicating things too much. On a normal system running OpenSSH, only root should be able to change the ssh configuration. No one else should own any of its files or folders, they do not NEED that access. Each user has a ~/.ssh folder with their personal keys and settings to which ONLY they should own and have access.

I would recommend using one account per user, but there is nothing magic that forces you: it is just easier to keep track of logged events that way.
Okay I think I've got it now (but I'll have to read up a little bit more on ownership and permissions - it's still confusing).
So basically, if I add a new user (just a standard user), and I generate the key pair and store it in the home folder, I'm good to go, right?

Thanks guys!
 
Old 09-21-2011, 03:21 PM   #6
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 11.4
Posts: 1,319

Rep: Reputation: 252Reputation: 252Reputation: 252
You on the server? No! You create the users on the server, no ~/.ssh necessary. They have to issue on their machines (with no ~/.ssh right now):
Code:
$ ssh-keygen -t rsa
$ ssh-copy-id servername
All created files and folders will get the correct permissions automatically. Then they will logon using the ssh-key in the future.
 
Old 09-21-2011, 04:11 PM   #7
firefiber
LQ Newbie
 
Registered: Sep 2011
Posts: 16

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Reuti View Post
You on the server? No! You create the users on the server, no ~/.ssh necessary. They have to issue on their machines (with no ~/.ssh right now):
Code:
$ ssh-keygen -t rsa
$ ssh-copy-id servername
All created files and folders will get the correct permissions automatically. Then they will logon using the ssh-key in the future.
But what about the authorized_keys file? Wouldn't I have to copy that to the home folder of every user on the server machine? The way I made it, I generated the key-pair on the server itself, and then copied the private key via WinSCP to my pendrive ('cause I access the server on a Windoze machine, through PuTTY).

So if I make new users on the server machine (Ubuntu), will I have to make an ~/.ssh folder in /home/user manually and copy the authorized_keys file to each? Or can I instead move the authorized_keys file to /etc/ssh and point sshd_config to that location? Would that work?
 
Old 09-21-2011, 04:32 PM   #8
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 11.4
Posts: 1,319

Rep: Reputation: 252Reputation: 252Reputation: 252
Quote:
Originally Posted by firefiber View Post
But what about the authorized_keys file? Wouldn't I have to copy that to the home folder of every user on the server machine? The way I made it, I generated the key-pair on the server itself, and then copied the private key via WinSCP to my pendrive ('cause I access the server on a Windoze machine, through PuTTY).

So if I make new users on the server machine (Ubuntu), will I have to make an ~/.ssh folder in /home/user manually and copy the authorized_keys file to each? Or can I instead move the authorized_keys file to /etc/ssh and point sshd_config to that location? Would that work?
Sorry, I wasnít aware that your clients are using Windows machines. My personal opinion is, that a private key should never ever leave the machine it was created on, to avoid that you forgot all the location you copied it to. So, your users have Windows, then itís the best that they create the keys on their own using puttygen and save the private part of the key locally. The public part they can copy and paste to send you an email with it. In principle there is no need to save the public part also locally on the Windows machines. You donít need it there and it can even always be recreated out of the private part (this also works on Linux with ssh-keygen -y).

So, on the Linux server then you are right to create the appropriate folder for them and put the one line with the public part of the key into the home directories like ~reuti/.ssh/authorized_keys of the appropriate user. The home directory must not be writable by anyone besides the user himself. The ~reuti/.ssh must not be readable by anyone except the user himself.

When I understand you in the right way, you are even about to distribute one and the same private key to each and every user, with the result that anyone could login as any user. Each user should have his own private key bound to one machine. Once a private is in the wild on an USB stick, anyone getting access to it might log in.

I also suggest to use a passphrase for the private key. If this is anyoing to enter all the time on the Windows machine, you could think of the Pageant running there to have a nice forwarding to remote servers.
 
1 members found this post helpful.
Old 09-21-2011, 11:40 PM   #9
b0ffen
LQ Newbie
 
Registered: Jun 2003
Location: ÷rebro : Sweden
Distribution: Ubuntu
Posts: 3

Rep: Reputation: 1
I think that you actually can control who can sudo in the file /etc/sudoers
Somewhere in the back of my head that mumbles
 
1 members found this post helpful.
Old 09-23-2011, 10:15 AM   #10
wpeckham
Member
 
Registered: Apr 2010
Location: USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix
Posts: 774

Rep: Reputation: 173Reputation: 173
Absolutly

You can control which users can use sudo, and (if you want to get that specific) exactly what commands they can and cannot run using it.

I recommend reading the suoders file and its comments and examples (using the command 'sudo visudo', but check the man pages and various how-to documents before you change anything. If you lock out your OWN account, it may be fun trying to recover.
 
1 members found this post helpful.
Old 09-24-2011, 02:33 AM   #11
firefiber
LQ Newbie
 
Registered: Sep 2011
Posts: 16

Original Poster
Rep: Reputation: Disabled
Thanks for all the help folks!

So I've got it set up now: one main user and two standard users on the server machine (Ubuntu), who aren't in the sudoers file, so they can't do much once they get in anyway.

Edited the permissions of my /etc/ssh folder and files correctly. Also, instead of making separate ~/.ssh folders for each user and placing the authorized_keys file there, I placed that file directly in the /etc/ssh folder and edited the sshd_config to point to that. I haven't had a chance to test it yet, but it should work right? If it doesn't, I'll just go back to the normal method.

And, just to bombard ya'll with random information, I put up a hamachi network too - this is a heck of a lot of fun!
But I'm leaning away from Ubuntu and more towards Gentoo now, so I'll prolly come back with more questions on that soon.

Thanks again for the help, guys!
 
Old 09-25-2011, 08:28 AM   #12
wpeckham
Member
 
Registered: Apr 2010
Location: USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix
Posts: 774

Rep: Reputation: 173Reputation: 173
I winder if my car would run right on three wheels?

I am not sure why you would want to modify how a security package works to make it less secure, that sounds wrong somehow.
I hope it does what you want and wish you success.
 
  


Reply

Tags
chmod, chown, permissions, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
chdir to home folder: permission denied when I use ssh zarzor_2010 Linux - Newbie 2 09-13-2010 01:07 PM
File and folder permission grob115 Linux - Newbie 16 03-01-2010 10:46 AM
Folder and file permission zion_rulz Linux - Newbie 5 07-09-2009 03:02 PM
Folder/File Permission??? ajeetraina Linux - Newbie 3 05-30-2008 03:25 AM
Permission - Folder vs. File XaViaR Linux - General 23 01-28-2006 07:54 PM


All times are GMT -5. The time now is 11:03 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration