SSH connections and file/folder permission dilemma.
 

Okay so, I'm still pretty new to Linux (haven't used a lot of distros extensively).

I put up an SSH server on Ubuntu 10.04 so one of my friends and I could tunnel when we're on public wifi's. It works great.

Here's the problem: say, when I was installing Ubuntu, the user I created was called 'optimus' right. So now there's just one main user, and then the root user, yes? So is it normal for one user to handle multiple connections? 'Cause my friend and I would simultaneously connect at the same time, sometimes. Will that mess anything up?

Also, file/folder permissions: say I create two new users, for my friend and I. The owner of /etc/ssh is optimus, and the group is root. The same is for all the files inside. If I change the owner to root and the group to say, 'admin' (which optimus is a part of, obviously), I can't see the data inside, unless I sudo. Why is that? I've specifically mentioned that optimus is a part of group 'admin', yet I can't access it.

So if I create two new users, what file/folder permission/ownerships will I need to change? The 'AllowUsers' option in the sshd_config file refers to the local users on the server, right?

-Kraven.

I'm glad you've made some headway into the realm of Linux.. there's nothing like the feeling of tunneling through SSH into the wild wild web.

To answer your questions, Yes you can have as many SSH logins for the same user as you want, unless you want to limit them via the configuration. So it doesn't mess anything up to have the same user logged in from several different locations doing different things.

There is one confusion you have concerning the Root user on Ubuntu. Traditional Linux and Unix has an actual user account named Root, however in Ubuntu you only have the one user you created and you have to use the sudo command to elevate that user to the level or Root.

I would like to caution you about file and folder permissions , in particular the ones in the folder /etc this is perhaps the most critical folder on your Linux system, nearly all of your configs and settings are stored there and if you futz with the permissions it is possible for someone to see and edit those files who should not be editing them. The /etc/ssh folder in particular stores the configs for the SSH daemon which is the service that runs the SSH server you and your friend are using.

I imagine you changed the group permissions on it, but not all the permissions. I suggest putting it back to the group root and not changing ANY of the permission on the /etc folder at all.

Is there some specific reasons for wanting to edit the /etc/ssh folder so freely? If your trying to figure out where your login folder is when you SSH into your box it's usually the users home folder which would in your case be located at /home/optimus if your using standard Ubuntu layout.

I suggest reading up on Linux and Unix permissions and how to use the chmod and chown commands to figure out how they work .

Take some time and read over this site http://www.cyberciti.biz/faq/how-lin...missions-work/ the cyberciti.biz site is AWESOME for Linux and BSD howto's ..

That's the thing: say I want to limit it, how should I go about doing that? Say I don't want anyone connected via SSH to be able to modify any settings, even with the SUDO command. How should I do that? I was thinking maybe I should create a new user, and limit them completely; but once I create a new user, will I have to copy the public keys to the home folder of the new user? Any suggestions?

Haha, yeah. I learned about that the hard way! I was messing about with Gentoo (was trying to dual boot Ubuntu and Gentoo) and by mistake messed up the permissions for my ENTIRE Ubuntu partition. Had to wipe it clean and start over. But no, the permissions for my /etc/ssh folder is set to 700 and files are set to 600. The owner is optimus and the group is root. Should I keep it this way? That's the thing: if I add a new user, how can I allow him to be able to access the host keys if the folder is owned by a different user?

Thanks! I'll check it out. =)

And thanks again for the really quick reply!

permissions
 

No users need to access the host keys. The ssh daemon does that FOR them.

I think you are complicating things too much. On a normal system running OpenSSH, only root should be able to change the ssh configuration. No one else should own any of its files or folders, they do not NEED that access. Each user has a ~/.ssh folder with their personal keys and settings to which ONLY they should own and have access.

I would recommend using one account per user, but there is nothing magic that forces you: it is just easier to keep track of logged events that way.

Okay I think I've got it now (but I'll have to read up a little bit more on ownership and permissions - it's still confusing).
So basically, if I add a new user (just a standard user), and I generate the key pair and store it in the home folder, I'm good to go, right?

Thanks guys!

You on the server? No! You create the users on the server, no ~/.ssh necessary. They have to issue on their machines (with no ~/.ssh right now):All created files and folders will get the correct permissions automatically. Then they will logon using the ssh-key in the future.

But what about the authorized_keys file? Wouldn't I have to copy that to the home folder of every user on the server machine? The way I made it, I generated the key-pair on the server itself, and then copied the private key via WinSCP to my pendrive ('cause I access the server on a Windoze machine, through PuTTY).

So if I make new users on the server machine (Ubuntu), will I have to make an ~/.ssh folder in /home/user manually and copy the authorized_keys file to each? Or can I instead move the authorized_keys file to /etc/ssh and point sshd_config to that location? Would that work?

Sorry, I wasn’t aware that your clients are using Windows machines. My personal opinion is, that a private key should never ever leave the machine it was created on, to avoid that you forgot all the location you copied it to. So, your users have Windows, then it’s the best that they create the keys on their own using puttygen and save the private part of the key locally. The public part they can copy and paste to send you an email with it. In principle there is no need to save the public part also locally on the Windows machines. You don’t need it there and it can even always be recreated out of the private part (this also works on Linux with ssh-keygen -y).

So, on the Linux server then you are right to create the appropriate folder for them and put the one line with the public part of the key into the home directories like ~reuti/.ssh/authorized_keys of the appropriate user. The home directory must not be writable by anyone besides the user himself. The ~reuti/.ssh must not be readable by anyone except the user himself.

When I understand you in the right way, you are even about to distribute one and the same private key to each and every user, with the result that anyone could login as any user. Each user should have his own private key bound to one machine. Once a private is in the wild on an USB stick, anyone getting access to it might log in.

I also suggest to use a passphrase for the private key. If this is anyoing to enter all the time on the Windows machine, you could think of the Pageant running there to have a nice forwarding to remote servers.

I think that you actually can control who can sudo in the file /etc/sudoers
Somewhere in the back of my head that mumbles ;)

Absolutly
 

You can control which users can use sudo, and (if you want to get that specific) exactly what commands they can and cannot run using it.

I recommend reading the suoders file and its comments and examples (using the command 'sudo visudo', but check the man pages and various how-to documents before you change anything. If you lock out your OWN account, it may be fun trying to recover.

Thanks for all the help folks!

So I've got it set up now: one main user and two standard users on the server machine (Ubuntu), who aren't in the sudoers file, so they can't do much once they get in anyway.

Edited the permissions of my /etc/ssh folder and files correctly. Also, instead of making separate ~/.ssh folders for each user and placing the authorized_keys file there, I placed that file directly in the /etc/ssh folder and edited the sshd_config to point to that. I haven't had a chance to test it yet, but it should work right? If it doesn't, I'll just go back to the normal method.

And, just to bombard ya'll with random information, I put up a hamachi network too - this is a heck of a lot of fun!
But I'm leaning away from Ubuntu and more towards Gentoo now, so I'll prolly come back with more questions on that soon.

Thanks again for the help, guys!

I winder if my car would run right on three wheels?
 

I am not sure why you would want to modify how a security package works to make it less secure, that sounds wrong somehow.
I hope it does what you want and wish you success.