| View previous topic :: View next topic |
| Author |
Message |
numeritos
Apprentice
Joined: 24 Nov 2006
Posts: 154
|
 Posted: Mon Nov 27, 2006 7:21 pm Post subject: ssh security enhancer script |
 |
|
I use this script for this (a friend and I made it): I've created a user with almost no permission to login on ssh and this user instead of having /bin/bash as a shell has this script. So when I login, it asks for another username. It checks if that user is authorized looking for it in /etc/ssh/authorized_users (one user per line, all in md5 hash). If it's a match it executes su $user but if it doesn't, it simulates a login anyway. After I login I've got a user with a little bit more permission.
I know it's a little bit paranoid, but I am paranoid, hehe. And I have some fun doing this.
| Code: | #!/bin/bash
# This shell script allows to enhance SSH security
# Copyright (C) 2006 Andrés Gustavo Martinelli / Thomas Tesone
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
function validate_user ()
{
echo ""
echo -n "Linux SSH Secure login: "
read user
#Converts user string to md5 hash to compare with
#the authorized users
usermd5=$( echo -n "$user" | md5sum | tr -d " " | tr -d "-")
#Saves in an array all the possible users
i=0
while read user_cmp
do
valid_users[$i]="$user_cmp"
((i += 1))
done </etc/ssh/authorized_users
max=${#valid_users[*]}
match_flag=0
#Compares all possible users against the current username
#and exits with 1 if it found a match
for ((i=0; i < max & match_flag != 1 ; i++))
do
if [ "$usermd5" = "${valid_users[$i]}" ]
then
match_flag=1
fi
done
return "$match_flag"
}
validate_user
if [ "$?" = 1 ]
then
su "$user"
else
#Asks the password anyway
read -p "Password: " -s fakepass
echo ""
#Change the following line to adecuate to the normal response time of login
sleep 3
echo "Login incorrect"
fi |
Some things could of course be added and/or enhanced. Maybe a mail to admin when a wrong login occurs could be added. I don't have time to add it right now because I've got a lot to study.
Hope you like it! |
|
| Back to top |
|
 |
erik258
Advocate
Joined: 12 Apr 2005
Posts: 2650
Location: Twin Cities, Minnesota, USA
|
| Posted: Mon Nov 27, 2006 7:39 pm Post subject: |
|
|
mark g. sobell, in A Practical Guide to Redhat Linux, recommends not using shell scripts as logon programs in /etc/passwd because of the possibility of interrupting the script and gaining unintended access to bash.
i don't know how this would be done.
now, i don't mean to be a buzkill but you might be better off using /etc/ssh/sshd_config settings. here are some exerpts...
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
# (and from above)
# ClientAliveCountMax 0 #3
you can see here that anncvs isn't allowed to x forward or tcp forward. I don't know what ForceCommand is (may apply to you if you do decide to use your script) and I'm guessing that if you set ClientAliveMaxCount 0 for a user (or as default) then this user (by default everyone) won't be allowed to connect at all!
or you could consider converting your program to C or another compiled language which is much less insecure in this respect.
_________________
Configuring a Firewall? Try my iptables configuration
LinuxCommando.com is my blog for linux-related scraps and tidbits. Stop by for a visit! |
|
| Back to top |
|
|
nixnut
Bodhisattva
Joined: 09 Apr 2004
Posts: 10974
Location: the dutch mountains
|
| Posted: Mon Nov 27, 2006 7:43 pm Post subject: |
|
|
Moved from Portage & Programming to Networking & Security.
_________________
Please add [solved] to the initial post's subject line if you feel your problem is resolved. Help answer the unanswered
talk is cheap. supply exceeds demand |
|
| Back to top |
|
|
numeritos
Apprentice
Joined: 24 Nov 2006
Posts: 154
|
| Posted: Mon Nov 27, 2006 8:01 pm Post subject: |
|
|
| erik258 wrote: |
now, i don't mean to be a buzkill but you might be better off using /etc/ssh/sshd_config settings. here are some exerpts...
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
# (and from above)
# ClientAliveCountMax 0 #3
you can see here that anncvs isn't allowed to x forward or tcp forward. I don't know what ForceCommand is (may apply to you if you do decide to use your script) and I'm guessing that if you set ClientAliveMaxCount 0 for a user (or as default) then this user (by default everyone) won't be allowed to connect at all!
or you could consider converting your program to C or another compiled language which is much less insecure in this respect. |
I don't see Match User option on man ssh pages. I didn't find any option related to configuring sshd_config on per user basis. I did use AllowGroups and AllowUsers to allow specific groups and users to connect to ssh.
Regarding converting to C: it could be a good idea, but can I put as a shell a .o file for a user?
edit: when you said "interrupting the script and gaining access to bash", I don't understand how this could be done. I mean, you already had to login with a user (let's say user ssh) and this user has as shell this script (but that user does not have access to bash) |
|
| Back to top |
|
|
erik258
Advocate
Joined: 12 Apr 2005
Posts: 2650
Location: Twin Cities, Minnesota, USA
|
| Posted: Mon Nov 27, 2006 8:26 pm Post subject: |
|
|
| Quote: |
Regarding converting to C: it could be a good idea, but can I put as a shell a .o file for a user?
|
.o files ar object files; they're compiled but not linked. you need to use an actuall executable as a shell. gcc can output either .o files or real executables. for example,
| Code: | echo '#include <stdio.h>
int main(){ printf("hi, world, from c!\n"); return 0;}' > prog.c
gcc -c prog.c # creates prog.o
gcc -o prog prog.o #links prog.o with the stdlib for printf and makes an exe
./prog
hi, world,from c! |
your script is an executable because it really is just interpreted by bash via the magic shebang line at the beginning of the script. which may help to answer the question..
| Quote: | | this user has as shell this script (but that user does not have access to bash |
because bash is running the script, perhaps a ctrl-c or ctrl-z could get out to bash? to be fair, i don't know how one would do this (mark g. sobell is a decent author though, and seems to know his stuff - he's been around a while). And since your users have to log on in through ssh's strong security mechansisms anyway, so it's not like just anyone can log on to your boxes.
| Quote: |
I don't see Match User option on man ssh pages. I didn't find any option related to configuring sshd_config on per user basis. I did use AllowGroups and AllowUsers to allow specific groups and users to connect to ssh. |
well, i just found it in /etc/ssh/sshd_config, comented out as an example of what you could do. I think it's really just for controlling the settings of sshd on a per-user basis, not allowing or disallowing a particular user alltogether. i think the AllowGroups option is probably a much, much better way to do this.
_________________
Configuring a Firewall? Try my iptables configuration
LinuxCommando.com is my blog for linux-related scraps and tidbits. Stop by for a visit! |
|
| Back to top |
|
|
zerojay
Veteran
Joined: 09 Aug 2003
Posts: 1033
|
| Posted: Mon Nov 27, 2006 8:33 pm Post subject: |
|
|
| Quote: |
well, i just found it in /etc/ssh/sshd_config, comented out as an example of what you could do. I think it's really just for controlling the settings of sshd on a per-user basis, not allowing or disallowing a particular user alltogether. i think the AllowGroups option is probably a much, much better way to do this. |
Agreed. And yes, running a shell script as a login is a *bad* idea. |
|
| Back to top |
|
|
numeritos
Apprentice
Joined: 24 Nov 2006
Posts: 154
|
| Posted: Mon Nov 27, 2006 8:39 pm Post subject: |
|
|
| Quote: | | because bash is running the script, perhaps a ctrl-c or ctrl-z could get out to bash? to be fair, i don't know how one would do this (mark g. sobell is a decent author though, and seems to know his stuff - he's been around a while). And since your users have to log on in through ssh's strong security mechansisms anyway, so it's not like just anyone can log on to your boxes. |
Ctrl+C just closes the connection. But as bash is an interpreted language you may be right about being able to stop that script and gain bash access (I just can't imagine how, but there may be a way). I'll rewrite it whenever I find some free time.
| Quote: | | well, i just found it in /etc/ssh/sshd_config, comented out as an example of what you could do. I think it's really just for controlling the settings of sshd on a per-user basis, not allowing or disallowing a particular user alltogether. i think the AllowGroups option is probably a much, much better way to do this. |
I don't know which version of ssh you have, but I've got OpenSSH 4.4 and I couldn't find any way of configuring on per user basis. And yes, it's better to use AllowGroups anyway 
I'm looking forward to having some free time to rewrite it and test it! 
Anyway I've already got strong security settings, and I use PAM for the login (to be able to lock an account after x number of attempts failed and reopen it using cron after some time) |
|
| Back to top |
|
|
erik258
Advocate
Joined: 12 Apr 2005
Posts: 2650
Location: Twin Cities, Minnesota, USA
|
| Posted: Mon Nov 27, 2006 8:46 pm Post subject: |
|
|
| Quote: | dan@descartes ~ $ ssh -V
OpenSSH_4.4p1, OpenSSL 0.9.8c 05 Sep 2006
|
are you looking in /etc/ssh/sshd_config or /etc/ssh/ssh_config? former for server daemon, latter for client option defaults
_________________
Configuring a Firewall? Try my iptables configuration
LinuxCommando.com is my blog for linux-related scraps and tidbits. Stop by for a visit! |
|
| Back to top |
|
|
numeritos
Apprentice
Joined: 24 Nov 2006
Posts: 154
|
| Posted: Mon Nov 27, 2006 8:49 pm Post subject: |
|
|
| erik258 wrote: | | Quote: | dan@descartes ~ $ ssh -V
OpenSSH_4.4p1, OpenSSL 0.9.8c 05 Sep 2006
|
are you looking in /etc/ssh/sshd_config or /etc/ssh/ssh_config? former for server daemon, latter for client option defaults |
Hehe, my bad. I was looking at sshd_config and not ssh_config 
I prefer using AllowGroups in sshd_config anyway |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
