Linux Security

Centralized SSH Keys

There are times when it is beneficial to take control of SSH key management on a server. This brief tutorial will centralize all user SSH keys to a single location and allow root to manage them.

We will be keeping all keys in a single directory located in /etc/ssh/authorized_keys. Within the directory, there will be a file for each user account containing its authorized_keys.

The below commands will configure the server with centralized SSH keys and add a ssh public key to the keyfile.

Create the directory:
Bash

mkdir /etc/ssh/authorized_keys

Create a file for each user account and add a key:
Bash

touch /etc/ssh/authorized_keys/username
cat id_rsa.pub >> /etc/ssh/authorized_keys/username

Ensure the created file has the proper permissions or else authentication will not work.
Bash

chmod 600 /etc/ssh/authorized_keys/username

Inside the ssh configuration file, you will have to edit the Authorized_keys. Open /etc/ssh/sshd_config with your favorite text editor (hopefully VIM) and make the following changes.

Change the following.
Bash

#AuthorizedKeysFile     .ssh/authorized_keys
AuthorizedKeysFile      /etc/ssh/authorized_keys/%u
http://www.maxbooks.info/ebooks/

https://www.suse.com/documentation/sles11/
https://www.suse.com/documentation/sles11/singlehtml/book_security/book_security.html

Disable Interactive Shell Logins
July 20, 2012 / admin posted in Bash, Linux, Security / No Comments

Often you have a server with users are required an account to access certain services but you do not want them interactively log into the server. This is very common on an ftp/sftp server. If you change their shell to /sbin/nologin or /bin/false this could prevent them from utilizing the service you have put into place. The simplest way to accommodate this is to write your own shell specifically for them.

Create a file with the name of your shell and place the below contents in it. I am using mine to restrict sftp users, so it is call ftponly. This shell will accept their login, display the message and then close their session. I have included a trap to catch any signals in the event a user gets crafty and tries to CTRL+C quickly.

Bash

    

#!/bin/bash
#
# ftponly shell
#
trap “/bin/echo Sorry; exit 0” 1 2 3 4 5 6 7 10 15
#
/bin/echo
/bin/echo “***************************************************************”
/bin/echo ”  These credentials are NOT allowed interactive access to “
/bin/echo ”                  <SERVER NAME> Server”
/bin/echo
/bin/echo ”              Account restricted to ftp access.”
/bin/echo
/bin/echo ”       Contact admin@example.com with any issues.”
/bin/echo “***************************************************************”
/bin/echo
#
exit 0

Place this file in /bin and ensure it is owned by root and excutable.
Bash

chown root.root /bin/ftponly
chmod 755 /bin/ftponly

Now place the shell name into the /etc/shells file:
Bash

# /etc/shells: valid login shells
/bin/bash
/bin/csh
/bin/esh
/bin/fish
/bin/ftponly
/bin/ksh
/bin/sash
/bin/sh
/bin/tcsh
/bin/zsh

You can now assign the shell to a user either in the passwd file or during account creation.
Bash

bob:x:1005:100:bob’s ftp accounttg :/home/bob:/bin/ftponly

Disable USB storage support in RHEL 5
June 2, 2011 / admin posted in Linux, Security / No Comments

To easily disable USB storage device support in RHEL 5 just add the following line to /etc/modprobe.conf:

install usb-storage :

This will prevent modprobe from loading the usb-storage module, but will allow administrators to manually load the module with insmod when needed.

If you will never need USB support you can simply remove the USB Storage driver from the kernel. Note: This will have to be repeated after each kernel update.

mv /lib/modules/kernelversion(s)
        /kernel/drivers/usb/storage/usb-storage.ko /root

You could also append nousb to the kernel line in your /etc/grub.conf. Make sure that your /etc/grub.conf is password protected or someone could just edit the line from it in single user mode.

kernel /vmlinuz-version ro vga=ext
        root=/dev/VolGroup00/LogVol00 rhgb quiet nousb

Disable CD/DVD access for normal users.
June 2, 2011 / admin posted in Linux, Security / No Comments

I just set up some workstations that I was required to disable CDROM access for normal users, but retain it for root. The easiest way, with the least amount of impact, is to disable GNOME’s automounting from the gnome-volume-manager program. This program mounts devices and removable media (DVDs, CDs and USB flash drives) when they are inserted into the system.

As root:

gconftool-2 –direct
–config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory
–type bool
–set /desktop/gnome/volume_manager/automount_media false
 
gconftool-2 –direct
–config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory
–type bool
–set /desktop/gnome/volume_manager/automount_drives false

You can then verify the changes by viewing the output of:

gconftool-2 -R /desktop/gnome/volume_manager

Another, less elegant method to accomplish this task is to relocate the cdrom driver. You can always put it back as root and insmod to reactivate it.

mv /lib/modules/<kernels>/drivers/cdrom/cdrom.ko /root