LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   NIS+NFS: how to prevent users from logging directly into the server? (http://www.linuxquestions.org/questions/slackware-14/nis-nfs-how-to-prevent-users-from-logging-directly-into-the-server-4175427587/)

kikinovak 09-17-2012 02:33 AM

NIS+NFS: how to prevent users from logging directly into the server?
 
Hi,

I have setup a network with centralized authentication, as described in this HOWTO:

http://docs.slackware.com/howtos:roaming_profiles

Everything works fine, but I need to add one more restriction. Users are all able to log into their account from any desktop client, but how can I prevent them from logging directly into the server? In short...
  1. Any user can log into his or her account on any desktop client
  2. No users should be allowed to log in directly into the server.
  3. Similarly, users shouldn't be able to ssh into the server with their own account

Why would I want to do this? Well, this is a multi-purpose server that not only holds all account information on the NIS server and all users' /home directories (shared by NFS). It's also a Samba server with mixed clearance levels (public, confidential), and some of the data is - in theory - readable for users. The measure described above would simply prevent users from snooping around in /srv/samba/ on the server.

EricTRA 09-17-2012 02:41 AM

Hello,

Have a look at:
Code:

man sshd_config
more in particular, AllowUsers and DenyUsers. By using those keywords you can restrict access to your server to (a) specific user(s) through SSH while maintaining your user setup. The only thing you'll need to do besides that is lock the door to the server room so that they don't have physical access to the console.

Kind regards,

Eric

kikinovak 09-17-2012 03:46 AM

Quote:

Originally Posted by EricTRA (Post 4782057)
Hello,

Have a look at:
Code:

man sshd_config
more in particular, AllowUsers and DenyUsers. By using those keywords you can restrict access to your server to (a) specific user(s) through SSH while maintaining your user setup. The only thing you'll need to do besides that is lock the door to the server room so that they don't have physical access to the console.

Kind regards,

Eric

Unfortunately the server is physically accessible to users, and there is no way to prevent that. That's why I wonder if there's a way to configure it so that only me (kikinovak) and root can log into the server directly.

wildwizard 09-17-2012 04:25 AM

man 5 nologin

EricTRA 09-17-2012 02:58 PM

Quote:

Originally Posted by kikinovak (Post 4782094)
Unfortunately the server is physically accessible to users, and there is no way to prevent that. That's why I wonder if there's a way to configure it so that only me (kikinovak) and root can log into the server directly.

Hi,

There's your first and most important flaw in security in my opinion. Why on earth would you allow physical access to your server? There's no way you can prevent a medium clever guy to get access to your machine one way or another.

Kind regards,

Eric

---------- Post added 17-09-12 at 20:59 ----------

Quote:

Originally Posted by wildwizard (Post 4782111)
man 5 nologin

Hi,

Easy enough to bypass since users have physical access to the server.

Kind regards,

Eric

kikinovak 09-18-2012 12:40 AM

Quote:

Originally Posted by EricTRA (Post 4782555)
Hi,

There's your first and most important flaw in security in my opinion. Why on earth would you allow physical access to your server? There's no way you can prevent a medium clever guy to get access to your machine one way or another.

Kind regards,

Eric

---------- Post added 17-09-12 at 20:59 ----------


Hi,

Easy enough to bypass since users have physical access to the server.

Kind regards,

Eric

It's not only this single install. More often that not, I get called in small companies or local administrations to replace the Windows-only network by either a Linux network or a mixed network. Most of the time, I don't get to choose the physical location of server and clients. They're already there. So I have to deal with it.

Though I must add in practical life, the security flaw is next to zero. My most "dangerous" users are 15-20-year-old students in a school, and they do in fact login to the server on my desk sometimes... only to be bored to death after two seconds because "there's only this black and white thingy there's not even a mouse".

caduqued 09-18-2012 04:12 AM

Quote:

Originally Posted by kikinovak (Post 4782933)
...
Though I must add in practical life, the security flaw is next to zero. My most "dangerous" users are 15-20-year-old students in a school, and they do in fact login to the server on my desk sometimes... only to be bored to death after two seconds because "there's only this black and white thingy there's not even a mouse".

Well, although this kind of "psychological" firewall could be valid for the majority of 15~20-years-old students so used to MS Windows or OSX, that is not going to prevent one or two "wannabe-hacker" juveniles trying to challenge the system, IMHO.

EricTRA 09-18-2012 07:33 AM

Quote:

Originally Posted by kikinovak (Post 4782933)
It's not only this single install. More often that not, I get called in small companies or local administrations to replace the Windows-only network by either a Linux network or a mixed network. Most of the time, I don't get to choose the physical location of server and clients. They're already there. So I have to deal with it.

Though I must add in practical life, the security flaw is next to zero. My most "dangerous" users are 15-20-year-old students in a school, and they do in fact login to the server on my desk sometimes... only to be bored to death after two seconds because "there's only this black and white thingy there's not even a mouse".

Hello,

Let's hope they all will be bored very soon when they login and that you don't have a wannabee script kiddie in your class as already indicated by caduqued.

Kind regards,

Eric

ml4711 09-18-2012 08:40 AM

To prevent login by xdm. kdm, you can test on $DISPLAY and $USER in the Xsession file,
and then just exit if you do not like the combination of the two variables.

Be sure you have the exact value of the DISPLAY variable,
and then if $DISPLAY is ":0.0" put something like this quite early in the Xsession file:

# Exit if user not allowed
if [ "x$DISPLAY" = "x:0.0" -a "$USER" != "kiki" ]; then
exit
fi

And also you have to prevent login on the virtual console.


All times are GMT -5. The time now is 04:58 PM.