blog'o thnet

To content | To menu | To search

Tag - SSH

Entries feed - Comments feed

Monday 3 September 2007

Why Set a Local authorized_keys File in a NFS Shared Environment

By Julien Gabel on Monday 3 September 2007, 20:42 - General

Why set the authorized_keys file to a local pathname on large UNIX environments, especially when NFS shares are used for home directories? Because this can address security problems.

First, you must remember that this special SSH file stores the public key of a remote account, letting the owner to be able to log-in using asymmetric keys along with the corresponding passphrase instead of the more classical challenge with appropriate password mechanism. (This eventually enable for non-interactive login through the use of an SSH agent, latter.)

The default path for the authorized_keys file is in a subdirectory of the home directory. This means that when the home of a UNIX account is hosted on a NFS share, all servers available in the same domain as the NFS resource will have access to the very same authorized_keys file, thus opening a security flaw. This is a security concern since by allowing one account on one server, you open this account to all servers in the same domain.

So, the first benefit to store the authorized_keys file in a local name space on each server is to authorize one--and only one--access to a given machine. The direct drawback is that there will be as many authorized_keys file as the number of servers in a domain (if a SSH access is needed on all servers). A side effect is that the path, mode and owner of the directory which will host the authorized_keys file may be better managed and hardened than before (even if SSH already check those things for sane defaults). It is particularly of interest when managing thousands of servers in heterogeneous UNIX environment, when Solaris, AIX, Linux and HP-UX doesn't have the same ownership same system paths (such as /var, for example).

one comment

Monday 4 July 2005

How to Add a New "sshd_adm" Service on Red Hat Advanced Server 2.1

By Julien Gabel on Monday 4 July 2005, 23:31 - GNU/Linux

  1. sshd represents the classical SSH server (for users)
  2. sshd_adm represents the administrator SSH server (for administrators)

Copy the original executable to be able to differentiate them later using ps(1):

# cp /usr/sbin/sshd /usr/sbin/sshd_adm

Create (copy) the sshd_adm service file:

# cp /etc/init.d/sshd /etc/init.d/sshd_adm

Edit and modify the sshd_adm service file according to:

# diff -u /etc/init.d/sshd /etc/init.d/sshd_adm
--- /etc/init.d/sshd    Thu Jun  9 16:54:18 2005
+++ /etc/init.d/sshd_adm        Thu Jun  9 14:03:24 2005
@@ -5,29 +5,30 @@
 # chkconfig: 2345 55 25
 # description: OpenSSH server daemon
 #
-# processname: sshd
+# processname: sshd_adm
 # config: /etc/ssh/ssh_host_key
 # config: /etc/ssh/ssh_host_key.pub
 # config: /etc/ssh/ssh_random_seed
-# config: /etc/ssh/sshd_config
-# pidfile: /var/run/sshd.pid
+# config: /etc/ssh/sshd_config_adm
+# pidfile: /var/run/sshd_adm.pid
 
 # source function library
 . /etc/rc.d/init.d/functions
 
 # pull in sysconfig settings
-[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
+[ -f /etc/sysconfig/sshd_adm ] && . /etc/sysconfig/sshd_adm
 
 RETVAL=0
-prog="sshd"
+prog="sshd_adm"
 
 # Some functions to make the below more readable
 KEYGEN=/usr/bin/ssh-keygen
-SSHD=/usr/sbin/sshd
+SSHD=/usr/sbin/sshd_adm
 RSA1_KEY=/etc/ssh/ssh_host_key
 RSA_KEY=/etc/ssh/ssh_host_rsa_key
 DSA_KEY=/etc/ssh/ssh_host_dsa_key
-PID_FILE=/var/run/sshd.pid
+PID_FILE=/var/run/sshd_adm.pid
+OPTIONS="-f /etc/ssh/sshd_config_adm -o \"PidFile ${PID_FILE}\" ${OPTIONS}"
 
 do_rsa1_keygen() {
        if [ ! -s $RSA1_KEY ]; then
@@ -97,7 +98,7 @@
        echo -n $"Starting $prog:"
        initlog -c "$SSHD $OPTIONS" && success || failure
        RETVAL=$?
-       [ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd
+       [ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd_adm
        echo
 }
 
@@ -106,7 +107,7 @@
        echo -n $"Stopping $prog:"
        killproc $SSHD -TERM
        RETVAL=$?
-       [ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd
+       [ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd_adm
        echo
 }
 
@@ -133,7 +134,7 @@
                reload
                ;;
        condrestart)
-               if [ -f /var/lock/subsys/sshd ] ; then
+               if [ -f /var/lock/subsys/sshd_adm ] ; then
                        do_restart_sanity_check
                        if [ "$RETVAL" = 0 ] ; then
                                stop

See the provided attached patch to get it right now: sshd_adm.service.patch

Create (copy) the sshd_adm configuration file:

# cp /etc/ssh/sshd_config /etc/ssh/sshd_config_adm

Edit and modify the sshd and sshd_adm configuration files according to:

# diff -u /etc/ssh/sshd_config /etc/ssh/sshd_config_adm
--- /etc/ssh/sshd_config        Thu Jun  9 15:44:42 2005
+++ /etc/ssh/sshd_config_adm    Thu Jun  9 15:45:08 2005
@@ -11,6 +11,7 @@
 # default value.
 
 #Port 22
+Port 77
 #Protocol 2,1
 #ListenAddress 0.0.0.0
 #ListenAddress ::
@@ -35,13 +36,11 @@
 
 #LoginGraceTime 600
 #PermitRootLogin yes
-PermitRootLogin no
 #StrictModes yes
 
 #RSAAuthentication yes
 #PubkeyAuthentication yes
 #AuthorizedKeysFile    .ssh/authorized_keys
-AuthorizedKeysFile     /var/.ssh/%u/authorized_keys
 
 # rhosts authentication should not be used
 #RhostsAuthentication no
@@ -79,6 +78,7 @@
 #PAMAuthenticationViaKbdInt yes
 
 #X11Forwarding no
+X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PrintMotd yes

See the provided attached patch to get it right now: sshd_adm.configuration.patch

Clone the pam(8) configuration for the sshd_adm processus:

# cp /etc/pam.d/sshd /etc/pam.d/sshd_adm

Add and/or update the wanted run-level informations for the sshd_adm service:

# chkconfig --add sshd_adm
# chkconfig --level 2345 sshd_adm on

Start, or restart, the corresponding services using the new configurations:

# service sshd restart
# service sshd_adm start

Verify the running services:

# service sshd status
# service sshd_adm status

no comment

Tuesday 14 June 2005

How to Add a New "sshd_adm" Service on AIX 5L

By Julien Gabel on Tuesday 14 June 2005, 11:39 - AIX

Create the sshd_adm service:

# mkssys -p /usr/sbin/sshd \   /* Absolute path to the subsystem executable
                                  program. */
         -s sshd_adm \         /* Name that uniquely identifies the subsys. */
         -u 0 \                /* User id for the subsystem. */
         -a "-D -f /etc/ssh/sshd_config_adm" \   /* Arguments that must be
                                                    passed to the command. */
         -e /dev/console \     /* Where the subsystem standard error data is
                                  placed. */
         -i /dev/console \     /* Where the subsys. standard input is routed. */
         -o /dev/console \     /* Where the subsys. standard output is placed. */
         -R \                  /* Subsystem is restarted if the subsystem stops
                                  abnormally. */
         -Q \                  /* Multiple instances of the subsystem are not
                                  allowed to run at the same time. */
         -S \                  /* Subsystem uses the signals communication
                                  method. */
         -f 9 \                /* Signal sent to the subsystem when a forced
                                  stop of the subsystem is requested. */
         -n 15 \               /* Signal sent to the subsystem when a normal
                                  stop of the subsystem is requested. */
         -E 20 \               /* Execution priority of the subsystem. */
         -G ssh \              /* Subsystem belongs to the group specified. */
         -d \                  /* Inactive subsystems are displayed when the
                                  lssrc -a command request is made. */
         -w 20                 /* Time, in seconds, allowed to elapse between a
                                  stop cancel (SIGTERM) signal and a subsequent
                                  SIGKILL signal. */

Check the service's configuration:

# lssrc -S -s sshd_adm                   
#subsysname:synonym:cmdargs:path:uid:auditid:standin:standout:standerr:action:multi:contact:svrkey:svrmtype:\
 priority:signorm:sigforce:display:waittime:grpname:
sshd_adm::-D -f /etc/ssh/sshd_config_adm:/usr/sbin/sshd:0:0:/dev/console:/dev/console:/dev/console:-R:-Q:-S:0:0:\
20:15:9:-d:20:ssh:

Or directly querying the ODM internal database:

# odmget -q subsysname=sshd_adm SRCsubsys

SRCsubsys:
        subsysname = "sshd_adm"
        synonym = ""
        cmdargs = "-D -f /etc/ssh/sshd_config_adm"
        path = "/usr/sbin/sshd"
        uid = 0
        auditid = 0
        standin = "/dev/console"
        standout = "/dev/console"
        standerr = "/dev/console"
        action = 1
        multi = 0
        contact = 2
        svrkey = 0
        svrmtype = 0
        priority = 20
        signorm = 15
        sigforce = 9
        display = 1
        waittime = 20
        grpname = "ssh"

Create (copy) the sshd_adm configuration file:

# cp /etc/ssh/sshd_config /etc/ssh/sshd_config_adm

Edit and modify the sshd and sshd_adm configuration files according to:

# diff -c /etc/ssh/sshd_config /etc/ssh/sshd_config_adm
*** /etc/ssh/sshd_config        Tue Jul  5 13:36:44 2005
--- /etc/ssh/sshd_config_adm    Tue Jul  5 13:36:44 2005
***************
*** 11,16 ****
--- 11,17 ----
  # default value.
  
  #Port 22
+ Port 77
  #Protocol 2,1
  #ListenAddress 0.0.0.0
  #ListenAddress ::
***************
*** 34,46 ****
  
  #LoginGraceTime 2m
  #PermitRootLogin yes
- PermitRootLogin no
  #StrictModes yes
  
  #RSAAuthentication yes
  #PubkeyAuthentication yes
  #AuthorizedKeysFile   .ssh/authorized_keys
- AuthorizedKeysFile    /var/.ssh/%u/authorized_keys
  
  # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
  #RhostsRSAAuthentication no
--- 35,45 ----
***************
*** 77,82 ****
--- 76,82 ----
  #AllowTcpForwarding yes
  #GatewayPorts no
  #X11Forwarding no
+ X11Forwarding yes
  #X11DisplayOffset 10
  #X11UseLocalhost yes
  #PrintMotd yes

Start the new service and restart the old one:

# stopsrc -g ssh
# startsrc -g ssh

Here, the same sshd binary is used for the two services sshd and sshd_adm. There is no need to dissociate them (as on GNU/Linux or Solaris for ps(1) listings) since the lssrc command can do that more easily.

Because sshd and sshd_adm are in the same group of service, there is no need to add anything else to be able to start sshd_adm at run-level #2:

# ls -l /etc/rc.d/rc?.d/*ssh*
-r-xr-xr-x   1 root     system          307 Apr 29 17:46 /etc/rc.d/rc2.d/Ksshd
-r-xr-xr-x   1 root     system          308 Apr 29 17:46 /etc/rc.d/rc2.d/Ssshd

no comment