LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-13-2003, 08:24 AM   #1
TechBrat
LQ Newbie
 
Registered: Mar 2003
Distribution: Redhat7.x/8.x/FreeBSD4.x
Posts: 19

Rep: Reputation: 0
Authentication via user@domain.com


Hi All,

I have seen on a few pre-packaged dedicated RH servers out there the ability to have ssh/ftp and email access all authenticated using a username and hostname combination such that an SSH login prompt can except the user as user@domain.com.

I'm trying to build a secure RH (8.x) environment using this method of authentication. As far as ftp and email, I know I can do this using proftpd and postfix's mysql integration; but how do they do it for SSHD?

Any links on setting up such an authentication mechanism would be greatly appreciated!

TechBrat Out.
 
Old 03-14-2003, 12:00 PM   #2
paranoid
LQ Newbie
 
Registered: Mar 2003
Location: Never more than 30 seconds from a keyboard
Distribution: Debian by choice, RH for Work, *BSD on and off
Posts: 13

Rep: Reputation: 0
Since nobody else has replied yet, maybe nobody else understands what you're saying either

Do you mean that you have seen something like

paranoid@home$ ssh paranoid@work.example.com
paranoid@work$ hey it worked

The paranoid@work.example.com isn't an authentication method, it's just shorthand for "login as user paranoid on host work.example.com".

The absence of the password prompt just means that ssh has been configured both at home and at work with information permitting login without password.

If this is what you want, look at the man pages for ssh-keygen, ssh-agent, and suchlike, I'll be happy to help out.

Basically you create a key with ssh-keygen, tell ssh to use it when you log on to host X, then you insert the public part of the key you created into $HOME/.ssh/authorized_keys2 on host X.

ssh-agent remembers the passwords used to protect the keys, so that you don't have to type them every time, but once you log off, even if your laptop is stolen, the keys are unusable without the password.

It's really powerful; with ssh-agent you can input your password once when you log on (or not at all if you feel secure enough to create a key that is not password-protected), and then not type it again, even when you log in to a second computer and then to a third from the second...

It is very useful for scripts, you create a key that is not password-protected, and tell the script to ssh using that key, and your script will for example do a remote backup from cron at 2AM.

Did I answer your question?

HAND
 
Old 03-15-2003, 05:12 AM   #3
TechBrat
LQ Newbie
 
Registered: Mar 2003
Distribution: Redhat7.x/8.x/FreeBSD4.x
Posts: 19

Original Poster
Rep: Reputation: 0
Hey,

You may be right there. I don't think it's particularly common what I want to do and I 've searched high and low on the net for articles on how to do it, but to no avail.

OK, thanks for the detailed response, but no, it doesn't answer the question.
Quote:
The paranoid@work.example.com isn't an authentication method, it's just shorthand for "login as user paranoid on host work.example.com".
I realise that with the client (ssh) this fully qualified user name details the username and the host. I guess what I need is the ability to map that hostname (which is on the same machine) to a passwd file in another directory.

i.e. I have a machine called bob.bobdomain.com with ip 1.2.3.4. Now this machine also hosts web sites for dan.dandomain.com and various others and they all use the same IP. All virtual hosted basically. Simple with apache.

OK, bobdomain.com has a home directory of /home/bobdomain.com/ and in that are various populated system related directories such as /bin /etc that are used when the user is chroot'ed to their home directory.

Given this, /home/bobdomain.com/etc/passwd contain entries for jenny, mary and paul such that those users can ssh into the server using jenny@bobdomain.com, be chrooted to /home/bobdomain.com and be able to access their home area as /home/bobdomain.com/home/jenny (which to them is just /home/jenny).

Phew!!

To cut a long story short, I need to be able to have virtual mapped users for ssh access (using sshd) based on their username and domain. I'm presuming this would be a special PAM module, but I haven't been able to find anything that can do it.

I hope that explains a bit further what I'm (and possibly others out there) are trying to achieve.

Ta.

TechBrat Out.
 
Old 03-15-2003, 05:59 AM   #4
paranoid
LQ Newbie
 
Registered: Mar 2003
Location: Never more than 30 seconds from a keyboard
Distribution: Debian by choice, RH for Work, *BSD on and off
Posts: 13

Rep: Reputation: 0
Quote:
Originally posted by TechBrat


Given this, /home/bobdomain.com/etc/passwd contain entries for jenny, mary and paul such that those users can ssh into the server using jenny@bobdomain.com, be chrooted to /home/bobdomain.com and be able to access their home area as /home/bobdomain.com/home/jenny (which to them is just /home/jenny).

As long as you don't HAVE to have both jenny@bobdomain.com and jenny@alicedomain.com as different users, you don't have a problem, just do it.

If jenny@bobdomain.com and jenny@alicedomain.com are different users on the same machine, well, dunno. Maybe PAM will accept a username with @ in it, but that will mess up a lot of things, to begin with the ssh shorthand I mentioned earlier.

Look at MIT Kerberos a bit, ISTR some similar syntax being used.

Otherwise, either set up multiple machines, or tell the users that "your username isn't jenny anymore, it's jenny1, so there, but your e-mail is the same of course".
 
Old 03-15-2003, 06:35 AM   #5
TechBrat
LQ Newbie
 
Registered: Mar 2003
Distribution: Redhat7.x/8.x/FreeBSD4.x
Posts: 19

Original Poster
Rep: Reputation: 0
Yay! Glad you understand.

Yeah, the issue is that in hosting multiple domains (like an ISP) I would need to have jenny@bobdomain.com and jenny@alicedomain.com being two separate accounts.

I have seen control panel systems like ENSIM do it and after taking them to bits it recently, it appears as though they use a custom PAM plugin for the various services that map domains to another passwd file and auth from that.

Also, I think having an @ in the username would definitely break a lot of things which is why many imap/pop email systems allow you to use # instead of @ for login.

I might look at making my own PAM module for it if I can't find one anywhere and possibly investigating something using LDAP as well as Kerberos as both look like could solve the problem. Thanks for that idea.

I'm from a BSD background mainly and have only been in the RH world for about a year. When you say, put it in a virtual machine, do you mean run a separate sshd process, on each domain/ip on the machine, BSD jail style?

Looks like I may be getting my hands dirty. I'll take apart the basic unix PAM, see what comes in and see what I modify so that it can handle multiple, domain specific passwd files.

Thanks for your help.

TechBrat Out.
 
Old 03-15-2003, 07:35 AM   #6
TechBrat
LQ Newbie
 
Registered: Mar 2003
Distribution: Redhat7.x/8.x/FreeBSD4.x
Posts: 19

Original Poster
Rep: Reputation: 0
Just been browsing, as you do, and found this page: -

http://www.linuxgazette.com/issue42/tag/4.html

Basically, it talks about a PAM module called pam_chroot.

Quote:
(For our readers that are unfamiliar with the trick: the login program; upon seeing that the login shell for a given account is set to '*' does a chroot() system call to the directory that's listed as that account's "home" directory. Therein 'login' exec()'s the appropriate copy of 'login' thereunder. This normally would then exec() a normal shell, as listed in the /...(chroot top).../etc/passwd file.)
An interesting article and it appears as though there are incarnations of such a beast out there...just that it may need a bit of TLC to get going.

TechBrat Out.

Last edited by TechBrat; 03-15-2003 at 07:41 AM.
 
Old 09-16-2003, 10:02 PM   #7
merkelt
LQ Newbie
 
Registered: Sep 2003
Location: Boulder, CO
Distribution: RedHat
Posts: 6

Rep: Reputation: 0
This is roughly the same issue I am working on, however I am brand new to the subject. I am looking for the ability to give my users a single login for their e-mail, ssh, and ftp. I am hosting multiple domains and don't want to tell John Doe that he cannot have John@yyy.com becuase somebody else has John@zzz.com (which is hosted on the same machine).

It sounds like Postfix has the ability from an e-mail perspective, can sendmail handle logins that look like 'user@domain.com'?

Can somebody point me in the right direection? Thank you in advance for your help.
 
Old 09-16-2003, 11:14 PM   #8
TechBrat
LQ Newbie
 
Registered: Mar 2003
Distribution: Redhat7.x/8.x/FreeBSD4.x
Posts: 19

Original Poster
Rep: Reputation: 0
Merkelt,

Postfix (SMTP) is a complete replacement for sendmail (SMTP) so sendmail is actually disabled as part of installation. Postfix provides binaries to emulate the sendmail syntax. Sendmail and the standard RH Linux POP/IMAP services do not and cannot support user@domain authentication without the use of PAM modules such as that implemented by Ensim.

You can use a POP3/IMAP reader such as Courier that is integrated to use the same MySQL database and tables as postfix. Webmail systems such as Squirrelmail handle logins via user@domain as well so the email solution is easily configured for virtual hosting without the requirement for products such as Ensim or CPanel.

The main issue that I've had is with PAM authentication in the format of user@domain for SSH. FTP can be easily handled, once again with mysql database integration using proftpd. There are plenty of articles on the web documenting the procedures to do this for PostFix/Courier and ProFTPD.

Needless to say, I've been very impressed with Ensim Pro 3.5.x and it's ability to handle virtual hosting and have put my efforts toward other things rather than reinventing the wheel with chroot'ing and development of a custom PAM module.

Good Luck.

TechBrat Out.

Last edited by TechBrat; 09-16-2003 at 11:16 PM.
 
Old 01-10-2004, 04:24 PM   #9
ntwaddel
LQ Newbie
 
Registered: Sep 2003
Location: Templeton, CA
Posts: 2

Rep: Reputation: 0
I have been searching for the same thing. Let me know if you found a solution yet.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
smtp authentication for virtual domain user Roswellevent Linux - Networking 2 12-28-2004 01:45 AM
Change user@host.domain to user@domain Wynand1 Linux - Networking 7 09-13-2004 11:56 PM
domain style central user authentication MadTurki Linux - Networking 2 01-26-2004 10:26 AM
Invoking NT Domain user authentication for restricted web pages explorer Linux - Networking 1 10-08-2003 05:19 AM
Domain Authentication SSENT12 Linux - Networking 1 07-24-2003 10:36 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:49 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration