LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-17-2017, 05:27 AM   #1
maxbaum
LQ Newbie
 
Registered: Oct 2017
Distribution: CentOS 7
Posts: 8

Rep: Reputation: Disabled
How can i remove all privileges from a user except su?


hi
I want a user X to login to via ssh-key, but After i logged in i want to "su root ".

So if someone manages to steal my ssh key from my pc the attacker would still need to find out the password for root

What privileges are there to remove so a user X cant do any harm to the System. I can think of sudo, chmod, passwd, iptables

But i dont know how to prevent the use of these commands. how do i totaly shutdown the user except for the command "su" and ssh? (Centos 7)

Thank you!
 
Old 10-17-2017, 06:00 AM   #2
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,154
Blog Entries: 3

Rep: Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557
Welcome.

Look in the manual page for sshd in the section "AUTHORIZED KEYS FORMAT"

Code:
man sshd
In there you'll see a paragraph for commmand="..." and other options for your key.

So if you go into that account's ~/.ssh/authorized_keys file and find the key in question, you can prepend command="/bin/su -l" to the line with the key. Make sure that the line remains unbroken and that there is a space between what you add and the rest of the key.
 
Old 10-17-2017, 08:04 AM   #3
michaelk
Moderator
 
Registered: Aug 2002
Posts: 20,532

Rep: Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592
Welcome to LinuxQuestions.

You can add a passphrase to ssh key so even if the private key was stolen it would not be usable.

You can restrict ssh to only allow user x and apply a chrooted jail.

https://www.tecmint.com/restrict-ssh...chrooted-jail/
 
Old 10-17-2017, 08:07 AM   #4
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 15,369

Rep: Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044
su will give "everything" to the user, so revoking all the rights but su has no real meaning.
 
Old 10-17-2017, 08:53 AM   #5
IsaacKuo
Senior Member
 
Registered: Apr 2004
Location: Baton Rouge, Louisiana, USA
Distribution: Debian 9 Stretch
Posts: 2,354
Blog Entries: 8

Rep: Reputation: 384Reputation: 384Reputation: 384Reputation: 384
Quote:
Originally Posted by maxbaum View Post
hi
I want a user X to login to via ssh-key, but After i logged in i want to "su root ".

So if someone manages to steal my ssh key from my pc the attacker would still need to find out the password for root

What privileges are there to remove so a user X cant do any harm to the System. I can think of sudo, chmod, passwd, iptables

But i dont know how to prevent the use of these commands. how do i totaly shutdown the user except for the command "su" and ssh? (Centos 7)

Thank you!
I agree with the first suggestion of michaelk - you can create an ssh key with a pass phrase. This is the cleanest and most common way to secure against someone getting the ssh key file. Technically, I do not think it's possible to "add" a pass phrase to an already generated ssh key. It's something you specify when first creating the ssh key. I may be totally wrong about that, though. I'm only familiar with creating a pass phrase at the same time as the ssh key.

You can combine it with Turbocaptialist's answer if you want. Personally, I'm comfortable with using the ssh key pass phrase for logging into a normal account (with no special restrictions).
 
Old 10-17-2017, 09:08 AM   #6
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,154
Blog Entries: 3

Rep: Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557
Quote:
Originally Posted by IsaacKuo View Post
Technically, I do not think it's possible to "add" a pass phrase to an already generated ssh key.
I had kind of assumed it went without saying that there is a good passphrase on the key. "That which goes without saying often goes unsaid." So maybe it needs saying anyway. Maybe an agent should be mentioned as well.

As for adding or changing the passphrase, that can be done with an existing key. See "man ssh-keygen" for the options -f and especially -p. Using -C won't hurt when creating the key either.

Code:
ssh-keygen -f test.key.ed25519 -p
 
Old 10-17-2017, 12:07 PM   #7
maxbaum
LQ Newbie
 
Registered: Oct 2017
Distribution: CentOS 7
Posts: 8

Original Poster
Rep: Reputation: Disabled
Hey everybody thanks for helping me im really glad to get some help

i already have my sshkey, i put the public key in max/.ssh/authorized_key and the private key is password protected on my pc.

Additionaly i wanted to remove all privileges from max except for the command su.

So if someone can steal my ssh-key and bruteforce the password of it like in 3 month or so ...
then he could login as max, but max doesnt have any priviliges. So the attacker would need to "su root" and bruteforce the root password.
But this brutforce could be prevented by timouts on wrong password since the bruteforce takes place on my server

so i want to create a secound layer of security here

max shall be a totaly useless user, with access only to "ssh" and "su"
 
Old 10-17-2017, 12:47 PM   #8
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 15,582
Blog Entries: 9

Rep: Reputation: 4497Reputation: 4497Reputation: 4497Reputation: 4497Reputation: 4497Reputation: 4497Reputation: 4497Reputation: 4497Reputation: 4497Reputation: 4497Reputation: 4497
the flaw in this clever idea is that you are now forced to do all your server work as root?
 
Old 10-17-2017, 02:08 PM   #9
IsaacKuo
Senior Member
 
Registered: Apr 2004
Location: Baton Rouge, Louisiana, USA
Distribution: Debian 9 Stretch
Posts: 2,354
Blog Entries: 8

Rep: Reputation: 384Reputation: 384Reputation: 384Reputation: 384
It's easy enough to do the forced su to root account and then use "su whateveruser".
 
Old 10-18-2017, 12:49 AM   #10
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 15,369

Rep: Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044
Quote:
Originally Posted by IsaacKuo View Post
It's easy enough to do the forced su to root account and then use "su whateveruser".
Probably easy, but more or less meaningless/pointless/purposeless/gratuitous. Forcing to become root is not only a security hole, but a (forced) invitation to do something "strange".
 
Old 10-18-2017, 04:13 AM   #11
maxbaum
LQ Newbie
 
Registered: Oct 2017
Distribution: CentOS 7
Posts: 8

Original Poster
Rep: Reputation: Disabled
yeah i know its not a common idea. but i feel exhausted thinking about all the different groups and stuff. I want a strong security in the beginning and once someone is through its fair play, he might still have to cope with encrypted data. but also for my work. I want to login and do stuff and not clutter my mind with ownership rwx issues really or typing in my 24 digit password on every command

soooo can anybody give me a list what to research / do to have such a user i described ?

Last edited by maxbaum; 10-18-2017 at 04:16 AM.
 
Old 10-18-2017, 04:20 AM   #12
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,154
Blog Entries: 3

Rep: Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557
Yes. It can be done via the key used for that account. See post #2 above from yesterday.
 
1 members found this post helpful.
Old 10-18-2017, 04:38 AM   #13
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 15,369

Rep: Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044
if you want to use only root account on that host just remove/disable all the other accounts and directly ssh -l root (or only one specific user) onto that host (with key).
If you want to force a user to su immediately after login you may try .bashrc to do that.
But
Quote:
how do i totaly shutdown the user except for the command "su" and ssh
is still logically nonsense.
 
Old 10-18-2017, 04:47 AM   #14
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,154
Blog Entries: 3

Rep: Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557Reputation: 2557
Quote:
Originally Posted by pan64 View Post
If you want to force a user to su immediately after login you may try .bashrc to do that.
Pros and cons aside, there are many ways around attempting to constrain the account using .bashrc.

However, the command="..." option in the key in authorized_keys cannot be skipped or escaped from. Using ForceCommand in the SSH server's configuration file would another way to achieve about the same thing. Putting it in the key is easier.
 
1 members found this post helpful.
Old 10-18-2017, 04:56 AM   #15
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 15,369

Rep: Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044Reputation: 5044
since OP wants to force user to be root and root has the right to do anything: command="..." can be skipped too...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
super user privileges check for a normal user in bash script freeindy Programming 2 08-01-2008 06:08 AM
privileges user AIX122 AIX 2 02-28-2008 10:49 PM
Linux - How to add a new user with the same root/super-user's privileges? asgarcymed Linux - General 8 12-23-2006 07:45 PM
User with root privileges ShakyJake Linux - Newbie 2 06-18-2004 12:12 PM
user privileges rieta Linux - Newbie 9 08-29-2002 11:48 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:18 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration