LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-01-2019, 03:38 PM   #16
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.6
Posts: 2,873

Rep: Reputation: 998Reputation: 998Reputation: 998Reputation: 998Reputation: 998Reputation: 998Reputation: 998Reputation: 998

Quote:
Originally Posted by JockVSJock View Post
I feel like folks get emotional and miss details that I've provided and then it becomes an echo chamber of "its not secure."
Yes. My thought was that you probably knew it wasn't secure since you were asking for ways to fix it.
 
Old 03-02-2019, 11:38 AM   #17
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 12,590

Rep: Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932
Quote:
Originally Posted by JockVSJock View Post
What is a good approach for managing this? Because it is not clear to me.
That was explained. You don't need to solve that problem with workarounds, but need to avoid that situation at all. But probably I misunderstood it (completely?). I mean (for example) users are not allowed to put their keys everywhere....
I do not want to offend against you. Just wanted to give you the best hint I can.
Obviously nologin, sudoers and other things mentioned earlier are definitely good and useful, but if the keys are there you are lost. And I think even root can be compromised.
 
Old 03-02-2019, 11:51 AM   #18
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 3,909
Blog Entries: 3

Rep: Reputation: 1858Reputation: 1858Reputation: 1858Reputation: 1858Reputation: 1858Reputation: 1858Reputation: 1858Reputation: 1858Reputation: 1858Reputation: 1858Reputation: 1858
Also the accounts don't need write access to the SSH keys. You can move the AuthorizedKeysFile to a location where they can be read but not written.
 
Old 04-17-2019, 08:57 PM   #19
JockVSJock
Senior Member
 
Registered: Jan 2004
Location: SATX
Distribution: RHEL/CentOS
Posts: 1,301

Original Poster
Blog Entries: 4

Rep: Reputation: 148Reputation: 148
Sorry, I got side tracked with work, however I want to thank everyone for their answers. This is what I've taken away from this thread.


1. There are no "service accounts" in Linux.

2. I've set the shell for accounts that certain end users keep logging into directly to /sbin/nologin,, when they should log into with their normal user account and then escalate to a different account.

thanks
 
Old 04-18-2019, 12:25 AM   #20
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 12,590

Rep: Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932
did it solve your issue?
 
Old 04-18-2019, 04:39 AM   #21
JockVSJock
Senior Member
 
Registered: Jan 2004
Location: SATX
Distribution: RHEL/CentOS
Posts: 1,301

Original Poster
Blog Entries: 4

Rep: Reputation: 148Reputation: 148
Yes and no.

Yes in that I set the account to /sbin/nologin.

No in that we want to ssh keys between servers to automate work with scripts. I'm not sure how to handle this.


Quote:
Originally Posted by pan64 View Post
did it solve your issue?
 
Old 04-18-2019, 04:49 AM   #22
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 12,590

Rep: Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932
(how) are these two things related to each other?
 
Old 04-18-2019, 06:12 AM   #23
JockVSJock
Senior Member
 
Registered: Jan 2004
Location: SATX
Distribution: RHEL/CentOS
Posts: 1,301

Original Poster
Blog Entries: 4

Rep: Reputation: 148Reputation: 148
I don't understand what your asking.

I just want to prevent a user from logging into the RHEL VM into that account. However want to allow ssh keys between two RHEL VMs.

Setting that account login to /sbin/nologin, will this impact ssh keys?


Quote:
Originally Posted by pan64 View Post
(how) are these two things related to each other?
 
Old 04-18-2019, 06:25 AM   #24
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 12,590

Rep: Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932
do you want to allow ssh for these service accounts (among hosts?) (you should not). Do you want to allow ssh with key [only] for regular users?
 
Old 04-18-2019, 06:38 AM   #25
JockVSJock
Senior Member
 
Registered: Jan 2004
Location: SATX
Distribution: RHEL/CentOS
Posts: 1,301

Original Poster
Blog Entries: 4

Rep: Reputation: 148Reputation: 148
So if I'm understanding you correctly, we shouldn't allow for this user account (Oracle) to have access to ssh keys between two RHEL VMs. Sounds like this is a security issue as well. If you don't mind elaborating on that, as I don't understand the why behind it.

Regular users typically login into to RHEL VMs from Windows 10 Desktop via PuTTY.

As the sys admin, I use ssh keys between all of my RHEL VMs. I may not have a firm understanding of the how, but I want to make sure security is applied correctly to the RHEL VMs that I manage.

However I have end users who can't follow the rules or don't think the rules apply to them. Should they not be allowed to generate ssh keys too since they have no regards for the rules?

Quote:
Originally Posted by pan64 View Post
do you want to allow ssh for these service accounts (among hosts?) (you should not). Do you want to allow ssh with key [only] for regular users?

Last edited by JockVSJock; 04-18-2019 at 06:41 AM.
 
Old 04-18-2019, 06:52 AM   #26
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 12,590

Rep: Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932
ssh keys are used to allow passwordless logins using ssh. This can be convenient for regular users and also for services which should do some remote work (like ansible).
Actually I don't know if the given oracle user is meant to do some remote managing, but if I remember well it was not planned.
You need to set up [passwordless] sudo <oracle user> <some commands> for the users who allowed to manage oracle and configure ssh key for them.
 
Old 04-18-2019, 07:35 AM   #27
JockVSJock
Senior Member
 
Registered: Jan 2004
Location: SATX
Distribution: RHEL/CentOS
Posts: 1,301

Original Poster
Blog Entries: 4

Rep: Reputation: 148Reputation: 148
Right, I know what ssh key are for.

I have ssh keys setup for my user account because it saves me time from having to type a password over and over. For another account that does port scanning, I used ssh keys because it was having issues logging in. Once setting up ssh keys, that solved that issue.

Right again, in that I've setup Oracle and white listed commands via sudo.

Its still not clear if I setup Oracle with /sbin/nologin how it will affect ssh keys or if this will be more of a security issue as I have users who can't be trusted to do the right thing.

Quote:
Originally Posted by pan64 View Post
ssh keys are used to allow passwordless logins using ssh. This can be convenient for regular users and also for services which should do some remote work (like ansible).
Actually I don't know if the given oracle user is meant to do some remote managing, but if I remember well it was not planned.
You need to set up [passwordless] sudo <oracle user> <some commands> for the users who allowed to manage oracle and configure ssh key for them.
 
Old 04-18-2019, 07:44 AM   #28
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 3,909
Blog Entries: 3

Rep: Reputation: 1858Reputation: 1858Reputation: 1858Reputation: 1858Reputation: 1858Reputation: 1858Reputation: 1858Reputation: 1858Reputation: 1858Reputation: 1858Reputation: 1858
You can use AllowGroups to whitelist groups or DenyGroups to blacklist them in sshd_config. That can keep people from logging in with the wrong accounts.
 
Old 04-18-2019, 10:13 AM   #29
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 12,590

Rep: Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932Reputation: 3932
if the login shell is set to nologin the system will not allow you to log in. with or without ssh keys.
 
1 members found this post helpful.
Old 04-18-2019, 10:53 AM   #30
Ghostwheel
Member
 
Registered: Jun 2004
Location: Mid Michigan
Distribution: CentOS
Posts: 32

Rep: Reputation: 0
While I tend to agree that your setup should probably be rethought, would it work to just disallow ssh access to these "service accounts" so they cannot be remotely logged into? This would force your users to use their own account and sudo to the service accounts.

Turbocaptialist is on the same track as well, I see.
 
  


Reply

Tags
service accounts


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
systemctl status postgresql-tst.service starts the service if service is stopped MarianForums Linux - Newbie 7 11-03-2018 03:02 PM
[SOLVED] Linux Ent 5 only root logging in.not other users logging authentication failure error ravikavala Linux - General 1 09-30-2014 03:46 AM
NIS+NFS: how to prevent users from logging directly into the server? kikinovak Slackware 8 09-18-2012 07:40 AM
Prevent user account from logging in but allow su to account DejaCpp Linux - General 4 07-26-2006 11:44 AM
is it legitimate and allowed and can be done to make another user account set uid and gid to null 0 to make another root account with different name and possibly not damage the debian system creating and using that new account BenJoBoy Linux - Newbie 12 01-29-2006 10:02 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 11:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration