[clue-admin] User setup for "member" accounts

Ronald Kuetemeier ronald at kuetemeier.com
Tue Jan 4 00:20:22 MST 2005 

Some comments from your friendly PHB of some sys admin organizations.
I have followed this thread with fascination and still don't know what
you really want to archive. 
Anyhow there should be no experimentation on a production server.  The
reason is if you make changes to files and get it half way working you
most likely will not back out changes and keep trying until you got it
working. Now if you are unlucky you got it working without the first
changes, which you have not backed out (uuuups).  So you have to wipe
the system and make only the changes you have to make to be save.

Some comments to ssh.
There is a patch for sshd to run a chroot environment, if you
understandingly don't want to patch all the time there is a problem with
ssh.  
You still can run sshd in a chroot, I've attached a file which creates
the environment. But you still have to maintain the passwd file in
<chroot>/etc/, btw I run chroot on /home. You should also run a separate
sshd for admins on a different port without chroot, firewall this port
and allow only connections from known host. This has the advantage that
you can  have two different sshd_config files, one for users and one for
admins.

If you don't want to jump through the hoops for chroot, and don't care
if users can run commands over ssh, just add no-pty to the users
authorized_keys2 file.
Which prevents bash from running.  The scheme about coping the *.pub
file to authorized_keys2 won't work since people can have multiple
machines they are using to cp files.

Notice that the script copies the org passwd file, you have to change it
to your needs before you run sshd in chroot and maintain it from that
point in time, example attached.  Also note the script doesn't install a
syslogd for the chroot environment just run it with -e and redirect the
output, or change the script.

Hope this helps,
Ronald

BTW: I run this on fc3, and it's late let me know what I forgot.

On Mon, 2005-01-03 at 09:50 -0700, Collins Richey wrote:
> On Sun, 2 Jan 2005 22:18:40 -0700, Jed S. Baer <thag at frii.com> wrote:
> > On Sun, 2 Jan 2005 17:54:01 -0700
> > Collins Richey wrote:
> > 
> > > Yeah, I saw this one, too.
> > >
> > > FYI, either there's not an available RPM for FC3 for either scponly or
> > > rssh (I did a 'sudo yum search ...'), or we don't have a complete set
> > > of RPM repositories defined for yum. Would you like to check that  
> > 
> 
> [ various rpm sources snipped ]
> 
> I installed and tested an rssh rpm (FC2). /usr/bin/rssh has the same
> problem as /bin/rbash and a few others: sftp has no problem
> authenticating, but disconnects immediately.
> 
> None of the rpm sources for any distro have scponly 4.0, and all
> versions prior to this have a major security fault. Unfortunately, I
> can't even get the source for 4.0, inasmuch as the only source is the
> scponly homepage (www.sublimation.org) and that site is not
> responding.
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: create-sshd-chroot.sh
Type: application/x-shellscript
Size: 579 bytes
Desc: not available
Url : http://cluedenver.org/pipermail/clue-admin/attachments/20050104/83f092ea/create-sshd-chroot.bin
-------------- next part --------------
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ronald:x:500:500:Ronald Kuetemeier:/ronald:/usr/libexec/openssh/sftp-server

More information about the clue-admin mailing list