From owner-freebsd-security@FreeBSD.ORG Mon Oct 4 20:54:12 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27ECD16A4D0; Mon, 4 Oct 2004 20:54:12 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C41443D46; Mon, 4 Oct 2004 20:54:12 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) i94KsBx8021964; Mon, 4 Oct 2004 20:54:11 GMT (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i94KsBD9021963; Mon, 4 Oct 2004 20:54:11 GMT (envelope-from security-advisories@freebsd.org) Date: Mon, 4 Oct 2004 20:54:11 GMT Message-Id: <200410042054.i94KsBD9021963@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-04:15.syscons X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Oct 2004 20:54:12 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-04:15.syscons Security Advisory The FreeBSD Project Topic: Boundary checking errors in syscons Category: core Module: sys_dev_syscons Announced: 2004-10-04 Credits: Christer Oberg Affects: FreeBSD 5.x releases Corrected: 2004-09-30 17:49:15 UTC (RELENG_5, 5.3-BETA6) 2004-10-04 17:04:25 UTC (RELENG_5_2, 5.2.1-RELEASE-p11) CVE Name: CAN-2004-0919 FreeBSD only: YES For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background syscons(4) is the default console driver for FreeBSD. Using the physical keyboard and screen, it provides multiple virtual terminals which appear as if they were separate terminals. One virtual terminal is considered current and exclusively occupies the screen and the keyboard; the other virtual terminals are placed in the background. II. Problem Description The syscons CONS_SCRSHOT ioctl(2) does insufficient validation of its input arguments. In particular, negative coordinates or large coordinates may cause unexpected behavior. III. Impact It may be possible to cause the CONS_SCRSHOT ioctl to return portions of kernel memory. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password. IV. Workaround There is no known workaround. However, this bug is only exploitable by users who have access to the physical console or can otherwise open a /dev/ttyv* device node. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to the RELENG_5_2 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:15/syscons.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:15/syscons.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5_2 src/UPDATING 1.282.2.19 src/sys/conf/newvers.sh 1.56.2.18 src/sys/dev/syscons/syscons.c 1.409.2.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBYYMTFdaIBMps37IRAuNbAJ4jbPnqo3vvEeD33ItW09r3zAuh5QCghq5v SN4Y+OCpzJ7Szy3s++slzeQ= =FlYi -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Oct 4 23:15:26 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ACB1616A4CE for ; Mon, 4 Oct 2004 23:15:26 +0000 (GMT) Received: from mail.bitfreak.org (mail.bitfreak.org [65.75.198.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 486D743D1F for ; Mon, 4 Oct 2004 23:15:26 +0000 (GMT) (envelope-from dmp@bitfreak.org) Received: from speck.loki.lan (c-24-21-241-225.client.comcast.net [24.21.241.225]) by mail.bitfreak.org (Postfix) with ESMTP id 5230319F3E for ; Mon, 4 Oct 2004 16:17:05 -0700 (PDT) Received: from spud (d2.loki.lan [172.21.42.22]) by speck.loki.lan (Postfix) with ESMTP id 4D13C322E for ; Mon, 4 Oct 2004 16:15:16 -0700 (PDT) From: "Darren Pilgrim" To: Date: Mon, 4 Oct 2004 16:15:07 -0700 Message-ID: <000601c4aa68$0034af70$162a15ac@spud> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 In-reply-to: <200410042054.i94KsBD9021963@freefall.freebsd.org> Importance: Normal Subject: RE: FreeBSD Security Advisory FreeBSD-SA-04:15.syscons X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Oct 2004 23:15:26 -0000 > FreeBSD-SA-04:15.syscons <...> > IV. Workaround >=20 > There is no known workaround. However, this bug is only exploitable > by users who have access to the physical console or can otherwise open > a /dev/ttyv* device node. Is there anything in the base system that, by design or flaw, can be = used by a non-root user to open a ttyv device? Is the tty snoop device vulnerable by proxy? From owner-freebsd-security@FreeBSD.ORG Tue Oct 5 06:29:22 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B6C9E16A4CE for ; Tue, 5 Oct 2004 06:29:22 +0000 (GMT) Received: from smtp15.wxs.nl (smtp15.wxs.nl [195.121.6.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A9A143D55 for ; Tue, 5 Oct 2004 06:29:22 +0000 (GMT) (envelope-from freebsd@akruijff.dds.nl) Received: from kruij557.speed.planet.nl (ipd50a97ba.speed.planet.nl [213.10.151.186]) by smtp15.wxs.nl (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0I5300HJXM0WUL@smtp15.wxs.nl> for freebsd-security@freebsd.org; Tue, 05 Oct 2004 08:29:21 +0200 (CEST) Received: from alex.lan (localhost [127.0.0.1]) by kruij557.speed.planet.nl (8.12.10/8.12.10) with ESMTP id i956TKMP001765; Tue, 05 Oct 2004 08:29:20 +0200 Received: (from akruijff@localhost) by alex.lan (8.12.10/8.12.10/Submit) id i956TJaB001764; Tue, 05 Oct 2004 08:29:19 +0200 Content-return: prohibited Date: Tue, 05 Oct 2004 08:29:19 +0200 From: Alex de Kruijff In-reply-to: <20040928090551.GA1800@orion.daedalusnetworks.priv> To: Giorgos Keramidas Message-id: <20041005062919.GE917@alex.lan> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.4.2.1i References: <20011107211316.A7830@nomad.lets.net> <20040925140242.GB78219@gothmog.gr> <41575DFC.9020206@wadham.ox.ac.uk> <20040927091710.GC914@orion.daedalusnetworks.priv> <41582024.2080205@wadham.ox.ac.uk> <20040928090551.GA1800@orion.daedalusnetworks.priv> X-Authentication-warning: alex.lan: akruijff set sender to freebsd@akruijff.dds.nl using -f cc: freebsd-security@freebsd.org cc: Colin Percival Subject: Re: compare-by-hash (was Re: sharing /etc/passwd) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Oct 2004 06:29:22 -0000 On Tue, Sep 28, 2004 at 12:05:51PM +0300, Giorgos Keramidas wrote: > On 2004-09-27 07:13, Colin Percival wrote: > > Giorgos Keramidas wrote: > > >Increasing the number of bits the hash key uses will decrease the > > >possibility of a collision but never eliminate it entirely, AFAICT. > > > > How small does a chance of error need to be before you're willing to > > ignore it? > > That's a good question. I'm not sure I have a definitive answer, but > the possibility of a collision is indeed scary. Especially since I > haven't seen a study of the real probability of a collition is, given > the fact that passwords aren't (normally) random binary data but a > much smaller subset of the universe being hashed. I could be wrong but arn't hash values more random dan anything a user can in put. > > If an appropriately strong hash is used (eg, SHA1), then the probability > > of obtaining an incorrect /etc/*pwd.db with a correct hash is much > > smaller than the probability of a random incorrect password being > > accepted. Remember, passwords are stored by their MD5 hashes, so a > > random password has a 2^(-128) chance of working. > > I was probably being unreasonably paranoid about 'modified' passwords > that don't get detected as modified, but what you describe is also > true. You could simply scp these few files afther the rsync. There's files aren't that large. -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/FreeBSD/ From owner-freebsd-security@FreeBSD.ORG Tue Oct 5 12:38:19 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C56316A4CE for ; Tue, 5 Oct 2004 12:38:19 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0AA1643D31 for ; Tue, 5 Oct 2004 12:38:19 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id 7F83954861; Tue, 5 Oct 2004 07:38:18 -0500 (CDT) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 94713-08; Tue, 5 Oct 2004 07:38:07 -0500 (CDT) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified)) by gw.celabo.org (Postfix) with ESMTP id D95B75485D; Tue, 5 Oct 2004 07:38:07 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id B62036D466; Tue, 5 Oct 2004 07:37:54 -0500 (CDT) Date: Tue, 5 Oct 2004 07:37:54 -0500 From: "Jacques A. Vidrine" To: Darren Pilgrim Message-ID: <20041005123754.GC12681@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Darren Pilgrim , freebsd-security@freebsd.org References: <200410042054.i94KsBD9021963@freefall.freebsd.org> <000601c4aa68$0034af70$162a15ac@spud> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <000601c4aa68$0034af70$162a15ac@spud> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-04:15.syscons X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Oct 2004 12:38:19 -0000 Hi Darren, On Mon, Oct 04, 2004 at 04:15:07PM -0700, Darren Pilgrim wrote: > > FreeBSD-SA-04:15.syscons > <...> > > IV. Workaround > > > > There is no known workaround. However, this bug is only exploitable > > by users who have access to the physical console or can otherwise open > > a /dev/ttyv* device node. > > Is there anything in the base system that, by design or flaw, can be used by > a non-root user to open a ttyv device? Any user can open a ttyv device that she owns. But if you mean, "can be used by a non-root user to open a ttyv device not owned by that user?" : None of which I'm aware. > Is the tty snoop device vulnerable by proxy? No, it is not. The snp device does not "forward" ioctls. Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From owner-freebsd-security@FreeBSD.ORG Thu Oct 7 17:29:38 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1253516A4CE for ; Thu, 7 Oct 2004 17:29:38 +0000 (GMT) Received: from highland.isltd.insignia.com (highland.isltd.insignia.com [195.74.141.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 822CD43D31 for ; Thu, 7 Oct 2004 17:29:37 +0000 (GMT) (envelope-from subscriber@insignia.com) Received: from dailuaine.isltd.insignia.com (dailuaine.isltd.insignia.com [172.16.64.11])i97HTae3013733 for ; Thu, 7 Oct 2004 18:29:36 +0100 (BST) (envelope-from subscriber@insignia.com) Received: from speyburn.isltd.insignia.com (speyburn [172.16.64.16]) i97HTZgF006449 for ; Thu, 7 Oct 2004 18:29:35 +0100 (BST) (envelope-from subscriber@insignia.com) From: Jim Hatfield To: freebsd-security@freebsd.org Date: Thu, 07 Oct 2004 18:29:35 +0100 Organization: Insignia Solutions Message-ID: X-Mailer: Forte Agent 2.0/32.640 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.44 Subject: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Oct 2004 17:29:38 -0000 I've used ssh as a secure telnet up to now but done little else with it. The FreeBSD machines I look after on our internet-facing network all have one account which I connect to for administration. I've set up /etc/hosts.allow on all the machines to only allow ssh from a limited internal network range. Now I want to create a new account on one machine which will be accessible from the Internet as a whole, to be used for tunnelling of SMTP and POP3. I can't predict what the client IP address will be so I will have to remove the hosts.allow restriction. Is there any way I can: - still prevent connections to my admin user from anywhere except a restricted set of addresses - disallow shell access for the new account but still allow tunnelling I think I can solve the first problem by using a new login class and an entry in login.conf, but there may be better ways. I think I can solve the second by giving the new user a shell of /bin/cat (putting that in /etc/shells) but again there may be a neater way. jim From owner-freebsd-security@FreeBSD.ORG Thu Oct 7 17:53:05 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A35AA16A4CE for ; Thu, 7 Oct 2004 17:53:05 +0000 (GMT) Received: from zephon.secspace.de (zephon.secspace.de [62.75.136.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3769343D5C for ; Thu, 7 Oct 2004 17:53:05 +0000 (GMT) (envelope-from ml@ps102.de) Received: from ariel.office.volker.de (pD95223CB.dip.t-dialin.net [217.82.35.203]) by zephon.secspace.de (Postfix) with ESMTP id 664A66EB20 for ; Thu, 7 Oct 2004 19:53:02 +0200 (CEST) Date: Thu, 7 Oct 2004 19:54:17 +0200 From: Volker Kindermann To: freebsd-security@freebsd.org Message-ID: <20041007195417.430a8b5c@ariel.office.volker.de> In-Reply-To: References: X-Mailer: Sylpheed-Claws 0.9.12a (GTK+ 1.2.10; i386-portbld-freebsd5.2.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Oct 2004 17:53:05 -0000 Hi Jim, > I've used ssh as a secure telnet up to now but done little else with > it. The FreeBSD machines I look after on our internet-facing network > all have one account which I connect to for administration. I've set > up /etc/hosts.allow on all the machines to only allow ssh from a > limited internal network range. > > Now I want to create a new account on one machine which will be > accessible from the Internet as a whole, to be used for tunnelling of > SMTP and POP3. I can't predict what the client IP address will be so I > will have to remove the hosts.allow restriction. have you considered the "AllowGroups" and "AllowUsers" directives of sshd_config? They should provide exact the functionality that you want. -volker From owner-freebsd-security@FreeBSD.ORG Thu Oct 7 18:05:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDFE116A4CE for ; Thu, 7 Oct 2004 18:05:30 +0000 (GMT) Received: from yem.eng.utah.edu (yem.eng.utah.edu [155.99.222.96]) by mx1.FreeBSD.org (Postfix) with ESMTP id C6FF143D31 for ; Thu, 7 Oct 2004 18:05:30 +0000 (GMT) (envelope-from ogden@yem.eng.utah.edu) Received: from ogden by yem.eng.utah.edu with local (Exim 4.42 (FreeBSD)) id 1CFcet-0006YG-0u; Thu, 07 Oct 2004 12:06:31 -0600 Date: Thu, 7 Oct 2004 12:06:30 -0600 From: Mark Ogden To: Volker Kindermann Message-ID: <20041007180630.GA25130@yem.eng.utah.edu> Mail-Followup-To: Volker Kindermann , freebsd-security@freebsd.org References: <20041007195417.430a8b5c@ariel.office.volker.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041007195417.430a8b5c@ariel.office.volker.de> User-Agent: Mutt/1.5.5.1i Sender: Mark L Ogden cc: freebsd-security@freebsd.org Subject: Re: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Oct 2004 18:05:31 -0000 Volker Kindermann on Thu, Oct 07, 2004 at 07:54:17PM +0200 wrote: > Hi Jim, > > > > I've used ssh as a secure telnet up to now but done little else with > > it. The FreeBSD machines I look after on our internet-facing network > > all have one account which I connect to for administration. I've set > > up /etc/hosts.allow on all the machines to only allow ssh from a > > limited internal network range. > > > > Now I want to create a new account on one machine which will be > > accessible from the Internet as a whole, to be used for tunnelling of > > SMTP and POP3. I can't predict what the client IP address will be so I > > will have to remove the hosts.allow restriction. > > have you considered the "AllowGroups" and "AllowUsers" directives of > sshd_config? They should provide exact the functionality that you want. But what if you have 1000 users? From my understanding you would have to add all users to the AllowUsers list. -Mark > > -volker From owner-freebsd-security@FreeBSD.ORG Thu Oct 7 18:22:20 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A91A16A4CE for ; Thu, 7 Oct 2004 18:22:20 +0000 (GMT) Received: from mproxy.gmail.com (rproxy.gmail.com [64.233.170.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id 31EF343D62 for ; Thu, 7 Oct 2004 18:22:20 +0000 (GMT) (envelope-from vladgalu@gmail.com) Received: by mproxy.gmail.com with SMTP id 73so54877rnl for ; Thu, 07 Oct 2004 11:22:16 -0700 (PDT) Received: by 10.38.165.18 with SMTP id n18mr2566510rne; Thu, 07 Oct 2004 11:22:16 -0700 (PDT) Received: by 10.39.1.10 with HTTP; Thu, 7 Oct 2004 11:22:16 -0700 (PDT) Message-ID: <79722fad041007112227c3c241@mail.gmail.com> Date: Thu, 7 Oct 2004 21:22:16 +0300 From: Vlad GALU To: Volker Kindermann , freebsd-security@freebsd.org In-Reply-To: <20041007180630.GA25130@yem.eng.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <20041007195417.430a8b5c@ariel.office.volker.de> <20041007180630.GA25130@yem.eng.utah.edu> Subject: Re: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Vlad GALU List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Oct 2004 18:22:20 -0000 On Thu, 7 Oct 2004 12:06:30 -0600, Mark Ogden wrote: > Volker Kindermann on Thu, Oct 07, 2004 at 07:54:17PM +0200 wrote: > > Hi Jim, > > > > > > > I've used ssh as a secure telnet up to now but done little else with > > > it. The FreeBSD machines I look after on our internet-facing network > > > all have one account which I connect to for administration. I've set > > > up /etc/hosts.allow on all the machines to only allow ssh from a > > > limited internal network range. > > > > > > Now I want to create a new account on one machine which will be > > > accessible from the Internet as a whole, to be used for tunnelling of > > > SMTP and POP3. I can't predict what the client IP address will be so I > > > will have to remove the hosts.allow restriction. > > > > have you considered the "AllowGroups" and "AllowUsers" directives of > > sshd_config? They should provide exact the functionality that you want. > > But what if you have 1000 users? From my understanding you would have > to add all users to the AllowUsers list. Or simply add all of them to one of the groups specified in "AllowGroups". > > -Mark > > > > > > -volker > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -- If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it. From owner-freebsd-security@FreeBSD.ORG Thu Oct 7 18:23:37 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDDC416A4CE for ; Thu, 7 Oct 2004 18:23:37 +0000 (GMT) Received: from mx7.uniserve.ca (mx7.uniserve.ca [216.113.192.91]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B8A743D2F for ; Thu, 7 Oct 2004 18:23:37 +0000 (GMT) (envelope-from rjwsys@uniserve.com) Received: from rob.office.uniserve.ca ([204.244.161.211] helo=rob) by mx7.uniserve.ca with smtp (Exim 4.22) id 1CFdEc-000Jar-35; Thu, 07 Oct 2004 11:43:26 -0700 Message-ID: <022e01c4ac9a$be186f70$d3a1f4cc@rob> From: "Robert Westendorp" To: "Mark Ogden" , "Volker Kindermann" References: <20041007195417.430a8b5c@ariel.office.volker.de> <20041007180630.GA25130@yem.eng.utah.edu> Date: Thu, 7 Oct 2004 11:23:27 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-Scanner: OK. Scanned. cc: freebsd-security@freebsd.org Subject: Re: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Oct 2004 18:23:37 -0000 User the AllowGroups .. and have all the users who should have SSH access in that particular group .. perhaps be default have an SSH users group be the SSHable group. ----- Original Message ----- From: "Mark Ogden" To: "Volker Kindermann" Cc: Sent: Thursday, October 07, 2004 11:06 AM Subject: Re: Question restricting ssh access for some users only > Volker Kindermann on Thu, Oct 07, 2004 at 07:54:17PM +0200 wrote: > > Hi Jim, > > > > > > > I've used ssh as a secure telnet up to now but done little else with > > > it. The FreeBSD machines I look after on our internet-facing network > > > all have one account which I connect to for administration. I've set > > > up /etc/hosts.allow on all the machines to only allow ssh from a > > > limited internal network range. > > > > > > Now I want to create a new account on one machine which will be > > > accessible from the Internet as a whole, to be used for tunnelling of > > > SMTP and POP3. I can't predict what the client IP address will be so I > > > will have to remove the hosts.allow restriction. > > > > have you considered the "AllowGroups" and "AllowUsers" directives of > > sshd_config? They should provide exact the functionality that you want. > > But what if you have 1000 users? From my understanding you would have > to add all users to the AllowUsers list. > > -Mark > > > > -volker > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Thu Oct 7 18:32:59 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC65D16A4CE for ; Thu, 7 Oct 2004 18:32:59 +0000 (GMT) Received: from yem.eng.utah.edu (yem.eng.utah.edu [155.99.222.96]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9631D43D53 for ; Thu, 7 Oct 2004 18:32:59 +0000 (GMT) (envelope-from ogden@yem.eng.utah.edu) Received: from ogden by yem.eng.utah.edu with local (Exim 4.42 (FreeBSD)) id 1CFd5U-0006d2-Dr; Thu, 07 Oct 2004 12:34:00 -0600 Date: Thu, 7 Oct 2004 12:34:00 -0600 From: Mark Ogden To: Vlad GALU Message-ID: <20041007183400.GA25339@yem.eng.utah.edu> Mail-Followup-To: Vlad GALU , freebsd-security@freebsd.org References: <20041007195417.430a8b5c@ariel.office.volker.de> <20041007180630.GA25130@yem.eng.utah.edu> <79722fad041007112227c3c241@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <79722fad041007112227c3c241@mail.gmail.com> User-Agent: Mutt/1.5.5.1i Sender: Mark L Ogden cc: freebsd-security@freebsd.org Subject: Re: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Oct 2004 18:32:59 -0000 Vlad GALU on Thu, Oct 07, 2004 at 09:22:16PM +0300 wrote: > On Thu, 7 Oct 2004 12:06:30 -0600, Mark Ogden wrote: > > Volker Kindermann on Thu, Oct 07, 2004 at 07:54:17PM +0200 wrote: > > > Hi Jim, > > > > > > > > But what if you have 1000 users? From my understanding you would have > > to add all users to the AllowUsers list. > > Or simply add all of them to one of the groups specified in "AllowGroups". Yes I do understand how that would work. Yet me better explain what we would like to do: We have over 9000 users and about 100 different groups. We would like to allow root ssh login to our machines but only from one or two machines. We like to have root login to be able to run remote commands to all our machines. So is there a way to limit roots login from one or two machines? -Mark From owner-freebsd-security@FreeBSD.ORG Thu Oct 7 18:40:12 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5004616A4CE for ; Thu, 7 Oct 2004 18:40:12 +0000 (GMT) Received: from mail.emich.edu (mail.emich.edu [164.76.2.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 117F543D31 for ; Thu, 7 Oct 2004 18:40:10 +0000 (GMT) (envelope-from KryptoBSD@uncompiled.com) Received: from [164.76.176.208] (ip-176-208.resnet.emich.edu [164.76.176.208]) by mail.emich.edu (iPlanet Messaging Server 5.2 Patch 2 (built Jul 14 2004)) with ESMTPA id <0I58004OU95Z0P@mail.emich.edu> for freebsd-security@freebsd.org; Thu, 07 Oct 2004 14:39:35 -0400 (EDT) Date: Thu, 07 Oct 2004 14:39:35 -0400 From: Mark Stanislav In-reply-to: <20041007183400.GA25339@yem.eng.utah.edu> To: Mark Ogden Message-id: <3C735693-1890-11D9-B63E-000A95CD9660@uncompiled.com> MIME-version: 1.0 X-Mailer: Apple Mail (2.619) Content-type: text/plain; charset=US-ASCII; format=flowed Content-transfer-encoding: 7BIT References: <20041007195417.430a8b5c@ariel.office.volker.de> <20041007180630.GA25130@yem.eng.utah.edu> <79722fad041007112227c3c241@mail.gmail.com> <20041007183400.GA25339@yem.eng.utah.edu> cc: freebsd-security@freebsd.org Subject: Re: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Oct 2004 18:40:12 -0000 On Oct 7, 2004, at 2:34 PM, Mark Ogden wrote: > Vlad GALU on Thu, Oct 07, 2004 at 09:22:16PM +0300 wrote: >> On Thu, 7 Oct 2004 12:06:30 -0600, Mark Ogden >> wrote: >>> Volker Kindermann on Thu, Oct 07, 2004 at 07:54:17PM +0200 wrote: >>>> Hi Jim, >>>> >>>> >>> But what if you have 1000 users? From my understanding you would have >>> to add all users to the AllowUsers list. >> Why can't you just make a script to do that? >> Or simply add all of them to one of the groups specified in >> "AllowGroups". > > Yes I do understand how that would work. Yet me better explain what we > would like to do: We have over 9000 users and about 100 different > groups. We would like to allow root ssh login to our machines but only > from one or two machines. We like to have root login to be able to run > remote commands to all our machines. So is there a way to limit roots > login from one or two machines? Why not just let them use 'sudo' or better yet, just give them access to become root after they login to their initial shell? -Mark > > -Mark > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Thu Oct 7 18:51:04 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04DB516A4CE for ; Thu, 7 Oct 2004 18:51:04 +0000 (GMT) Received: from web.lomag.net (web.lomag.net [208.185.81.14]) by mx1.FreeBSD.org (Postfix) with SMTP id 7EAEE43D31 for ; Thu, 7 Oct 2004 18:51:03 +0000 (GMT) (envelope-from mark@lomag.net) Received: (qmail 30672 invoked by uid 98); 7 Oct 2004 18:51:02 -0000 Received: from mark@lomag.net by web.lomag.net by uid 82 with qmail-scanner-1.20st (clamuko: 0.67. spamassassin: 2.63. Clear:RC:1(67.85.42.99):. Processed in 0.047689 secs); 07 Oct 2004 18:51:02 -0000 Received: from ws01.lomag.net (HELO ws01) (67.85.42.99) by 0 with SMTP; 7 Oct 2004 18:51:02 -0000 Message-ID: <080b01c4ac9e$90584250$0a13a8c0@lomag.net> From: "Mark Skurzynski" To: References: <20041007195417.430a8b5c@ariel.office.volker.de> <20041007180630.GA25130@yem.eng.utah.edu> <79722fad041007112227c3c241@mail.gmail.com> <20041007183400.GA25339@yem.eng.utah.edu> <3C735693-1890-11D9-B63E-000A95CD9660@uncompiled.com> Date: Thu, 7 Oct 2004 14:50:49 -0400 Organization: Lomag Internet Services, LLC MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Subject: Re: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Oct 2004 18:51:04 -0000 Hi Fellow Marks, I normally don't reply here however the simple solution is to run a 2nd instance of sshd on any random port you choose, ie. "sshd -f /etc/ssh/sshd_config_private" or whatever you choose. You could then easily firewall that port and only allow specific IP's to connnect. Thanks, Mark -- **************************************************** Mark Skurzynski * Lomag Internet Services, LLC mark@lomag.net * http://www.lomag.net Edison, NJ USA * 908-754-2296 **************************************************** ----- Original Message ----- From: "Mark Stanislav" To: "Mark Ogden" Cc: Sent: Thursday, October 07, 2004 2:39 PM Subject: Re: Question restricting ssh access for some users only > > On Oct 7, 2004, at 2:34 PM, Mark Ogden wrote: > > > Vlad GALU on Thu, Oct 07, 2004 at 09:22:16PM +0300 wrote: > >> On Thu, 7 Oct 2004 12:06:30 -0600, Mark Ogden > >> wrote: > >>> Volker Kindermann on Thu, Oct 07, 2004 at 07:54:17PM +0200 wrote: > >>>> Hi Jim, > >>>> > >>>> > >>> But what if you have 1000 users? From my understanding you would have > >>> to add all users to the AllowUsers list. > >> > > Why can't you just make a script to do that? > > >> Or simply add all of them to one of the groups specified in > >> "AllowGroups". > > > > Yes I do understand how that would work. Yet me better explain what we > > would like to do: We have over 9000 users and about 100 different > > groups. We would like to allow root ssh login to our machines but only > > from one or two machines. We like to have root login to be able to run > > remote commands to all our machines. So is there a way to limit roots > > login from one or two machines? > > Why not just let them use 'sudo' or better yet, just give them access > to become root after they login to their initial shell? > > -Mark > > > > > -Mark > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Thu Oct 7 18:51:31 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4803A16A4CE for ; Thu, 7 Oct 2004 18:51:31 +0000 (GMT) Received: from yem.eng.utah.edu (yem.eng.utah.edu [155.99.222.96]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B21A43D48 for ; Thu, 7 Oct 2004 18:51:31 +0000 (GMT) (envelope-from ogden@yem.eng.utah.edu) Received: from ogden by yem.eng.utah.edu with local (Exim 4.42 (FreeBSD)) id 1CFdNQ-0006el-Dx; Thu, 07 Oct 2004 12:52:32 -0600 Date: Thu, 7 Oct 2004 12:52:32 -0600 From: Mark Ogden To: Mark Stanislav Message-ID: <20041007185232.GA25539@yem.eng.utah.edu> Mail-Followup-To: Mark Stanislav , freebsd-security@freebsd.org References: <20041007195417.430a8b5c@ariel.office.volker.de> <20041007180630.GA25130@yem.eng.utah.edu> <79722fad041007112227c3c241@mail.gmail.com> <20041007183400.GA25339@yem.eng.utah.edu> <3C735693-1890-11D9-B63E-000A95CD9660@uncompiled.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3C735693-1890-11D9-B63E-000A95CD9660@uncompiled.com> User-Agent: Mutt/1.5.5.1i Sender: Mark L Ogden cc: freebsd-security@freebsd.org Subject: Re: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Oct 2004 18:51:31 -0000 Mark Stanislav on Thu, Oct 07, 2004 at 02:39:35PM -0400 wrote: > > On Oct 7, 2004, at 2:34 PM, Mark Ogden wrote: > > >Vlad GALU on Thu, Oct 07, 2004 at 09:22:16PM +0300 wrote: > >>On Thu, 7 Oct 2004 12:06:30 -0600, Mark Ogden > >>wrote: > >>>Volker Kindermann on Thu, Oct 07, 2004 at 07:54:17PM +0200 wrote: > >>>>Hi Jim, > >>>> > >>>> > >>>But what if you have 1000 users? From my understanding you would have > >>>to add all users to the AllowUsers list. > >> > > Why can't you just make a script to do that? > > >> Or simply add all of them to one of the groups specified in > >>"AllowGroups". > > > >Yes I do understand how that would work. Yet me better explain what we > >would like to do: We have over 9000 users and about 100 different > >groups. We would like to allow root ssh login to our machines but only > >from one or two machines. We like to have root login to be able to run > >remote commands to all our machines. So is there a way to limit roots > >login from one or two machines? > > Why not just let them use 'sudo' or better yet, just give them access > to become root after they login to their initial shell? For us: 1) 'sudo' is in afs so one whould have to get a token (by typing a password) first to be able to use sudo. 2) To use su without a password, again one would have to use their token gotten from afs. see #1. I guess we could investigate AFSTokenPassing via ssh. -Mark From owner-freebsd-security@FreeBSD.ORG Thu Oct 7 18:53:24 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9739A16A4CE for ; Thu, 7 Oct 2004 18:53:24 +0000 (GMT) Received: from yem.eng.utah.edu (yem.eng.utah.edu [155.99.222.96]) by mx1.FreeBSD.org (Postfix) with ESMTP id 81BD543D49 for ; Thu, 7 Oct 2004 18:53:24 +0000 (GMT) (envelope-from ogden@yem.eng.utah.edu) Received: from ogden by yem.eng.utah.edu with local (Exim 4.42 (FreeBSD)) id 1CFdPF-0006fH-PM; Thu, 07 Oct 2004 12:54:25 -0600 Date: Thu, 7 Oct 2004 12:54:25 -0600 From: Mark Ogden To: Mark Skurzynski Message-ID: <20041007185425.GB25539@yem.eng.utah.edu> Mail-Followup-To: Mark Skurzynski , freebsd-security@freebsd.org References: <20041007195417.430a8b5c@ariel.office.volker.de> <20041007180630.GA25130@yem.eng.utah.edu> <79722fad041007112227c3c241@mail.gmail.com> <20041007183400.GA25339@yem.eng.utah.edu> <3C735693-1890-11D9-B63E-000A95CD9660@uncompiled.com> <080b01c4ac9e$90584250$0a13a8c0@lomag.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <080b01c4ac9e$90584250$0a13a8c0@lomag.net> User-Agent: Mutt/1.5.5.1i Sender: Mark L Ogden cc: freebsd-security@freebsd.org Subject: Re: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Oct 2004 18:53:24 -0000 Mark Skurzynski on Thu, Oct 07, 2004 at 02:50:49PM -0400 wrote: > Hi Fellow Marks, > > I normally don't reply here however the simple solution is to run a 2nd > instance of sshd on any random port you choose, ie. "sshd -f > /etc/ssh/sshd_config_private" or whatever you choose. You could then easily > firewall that port and only allow specific IP's to connnect. Yes, that was our second idea. But we feel theres got to be a better way. -Mark From owner-freebsd-security@FreeBSD.ORG Thu Oct 7 18:57:56 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0ABA16A4CF for ; Thu, 7 Oct 2004 18:57:56 +0000 (GMT) Received: from mailbox.wingercom.dk (mailbox.wingercom.dk [81.19.240.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54B3943D53 for ; Thu, 7 Oct 2004 18:57:56 +0000 (GMT) (envelope-from per@xterm.dk) Received: from mailbox.wingercom.dk (localhost.wingercom.dk [127.0.0.1]) by mailbox.wingercom.dk (Postfix) with SMTP id B078393175 for ; Thu, 7 Oct 2004 21:01:58 +0200 (CEST) Received: from 62.242.151.142 (SquirrelMail authenticated user per) by mailbox.wingercom.dk with HTTP; Thu, 7 Oct 2004 21:01:58 +0200 (CEST) Message-ID: <63056.62.242.151.142.1097175718.squirrel@mailbox.wingercom.dk> Date: Thu, 7 Oct 2004 21:01:58 +0200 (CEST) From: "Per Engelbrecht" To: In-Reply-To: <20041007183400.GA25339@yem.eng.utah.edu> References: <20041007183400.GA25339@yem.eng.utah.edu> X-Mailer: SquirrelMail (version 1.2.5) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Oct 2004 18:57:56 -0000 > Vlad GALU on Thu, Oct 07, 2004 at 09:22:16PM +0300 wrote: >> On Thu, 7 Oct 2004 12:06:30 -0600, Mark Ogden >> wrote: >> > Volker Kindermann on Thu, Oct 07, 2004 at 07:54:17PM +0200 >> > wrote: >> > > Hi Jim, >> > > >> > > >> > But what if you have 1000 users? From my understanding you would >> > have to add all users to the AllowUsers list. >> >> Or simply add all of them to one of the groups specified in >> "AllowGroups". > > Yes I do understand how that would work. Yet me better explain what > we would like to do: We have over 9000 users and about 100 > different > groups. We would like to allow root ssh login to our machines but > only from one or two machines. We like to have root login to be > able to run remote commands to all our machines. So is there a way > to limit roots login from one or two machines? Hi Mark This is what I do: Disable root login via ssh entirely and set up 'sudo' and ssh-agents. You can make quite impressive sudo setups. Look at http://www.courtesan.com/sudo/ With this approach the root passwd are safe (both from ssh and from other admin/users) and you can exec any command on any server without the use of passwd if you use ssh-agents and every 'sudo' command is logged. You know who did this and that .. and when. Furthermore, add accounting on each server and add a central syslog(-ng) server (if not done allready) respectfully /per per@xterm.dk > > -Mark > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Thu Oct 7 19:10:34 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D307B16A4CE for ; Thu, 7 Oct 2004 19:10:34 +0000 (GMT) Received: from omoikane.mb.skyweb.ca (64-42-246-34.mb.skyweb.ca [64.42.246.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6248843D5D for ; Thu, 7 Oct 2004 19:10:32 +0000 (GMT) (envelope-from mark@skyweb.ca) Received: by omoikane.mb.skyweb.ca (Postfix, from userid 1001) id 8705962B51; Thu, 7 Oct 2004 14:10:32 -0500 (CDT) From: Mark Johnston To: Mark Skurzynski , freebsd-security@freebsd.org Date: Thu, 7 Oct 2004 14:10:31 -0500 User-Agent: KMail/1.6.1 References: <080b01c4ac9e$90584250$0a13a8c0@lomag.net> <20041007185425.GB25539@yem.eng.utah.edu> In-Reply-To: <20041007185425.GB25539@yem.eng.utah.edu> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200410071410.31964.mjohnston@skyweb.ca> Subject: Re: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Oct 2004 19:10:34 -0000 Mark Ogden wrote: > Mark Skurzynski on Thu, Oct 07, 2004 at 02:50:49PM -0400 wrote: > > I normally don't reply here however the simple solution is to run a 2nd > > instance of sshd on any random port you choose, ie. "sshd -f > > /etc/ssh/sshd_config_private" or whatever you choose. You could then > > easily firewall that port and only allow specific IP's to connnect. > > Yes, that was our second idea. But we feel theres got to be a better > way. Seems appropriate that a third Mark should chip in here: there is. You can use ~/.ssh/authorized_keys to add restrictions, one of which is "from": from="pattern-list" Specifies that in addition to public key authentication, the canonical name of the remote host must be present in the comma- separated list of patterns (`*' and `'? serve as wildcards). The list may also contain patterns negated by prefixing them with `'!; if the canonical host name matches a negated pattern, the key is not accepted. The purpose of this option is to optionally increase security: public key authentication by itself does not trust the network or name servers or anything (but the key); how- ever, if somebody somehow steals the key, the key permits an intruder to log in from anywhere in the world. This additional option makes using a stolen key more difficult (name servers and/or routers would have to be compromised in addition to just the key). Apply that to the only key you allow to log in for root, and then set PermitRootLogin to "without-password", heeding the warning in sshd_config(5) about ChallengeResponseAuthentication. I would still encourage you to look at Per Engelbrecht's sudo suggestion; you will very likely want the logging that it provides. However, you should be able to do exactly what you want with this. Mark From owner-freebsd-security@FreeBSD.ORG Thu Oct 7 19:26:34 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 496E816A4CE for ; Thu, 7 Oct 2004 19:26:34 +0000 (GMT) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 08ECE43D1F for ; Thu, 7 Oct 2004 19:26:33 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1])i97JQROG004655 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 7 Oct 2004 20:26:27 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)i97JQQAF004654; Thu, 7 Oct 2004 20:26:26 +0100 (BST) (envelope-from matthew) Date: Thu, 7 Oct 2004 20:26:26 +0100 From: Matthew Seaman To: Vlad GALU , freebsd-security@freebsd.org Message-ID: <20041007192626.GB4174@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Vlad GALU , freebsd-security@freebsd.org References: <20041007195417.430a8b5c@ariel.office.volker.de> <20041007180630.GA25130@yem.eng.utah.edu> <79722fad041007112227c3c241@mail.gmail.com> <20041007183400.GA25339@yem.eng.utah.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="s/l3CgOIzMHHjg/5" Content-Disposition: inline In-Reply-To: <20041007183400.GA25339@yem.eng.utah.edu> User-Agent: Mutt/1.4.2.1i X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.6 (smtp.infracaninophile.co.uk [IPv6:::1]); Thu, 07 Oct 2004 20:26:27 +0100 (BST) X-Virus-Scanned: clamd / ClamAV version devel-20040904, clamav-milter version 0.75l on smtp.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, hits=-4.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.64 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on happy-idiot-talk.infracaninophile.co.uk Subject: Re: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Oct 2004 19:26:34 -0000 --s/l3CgOIzMHHjg/5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Oct 07, 2004 at 12:34:00PM -0600, Mark Ogden wrote: > Vlad GALU on Thu, Oct 07, 2004 at 09:22:16PM +0300 wrote: > > On Thu, 7 Oct 2004 12:06:30 -0600, Mark Ogden wrot= e: > > > Volker Kindermann on Thu, Oct 07, 2004 at 07:54:17PM +0200 wrote: > > > > Hi Jim, > > > > > > > > > > > But what if you have 1000 users? From my understanding you would have > > > to add all users to the AllowUsers list. > >=20 > > Or simply add all of them to one of the groups specified in "AllowG= roups". >=20 > Yes I do understand how that would work. Yet me better explain what we > would like to do: We have over 9000 users and about 100 different > groups. We would like to allow root ssh login to our machines but only > from one or two machines. We like to have root login to be able to run > remote commands to all our machines. So is there a way to limit roots > login from one or two machines? Before any one else leaps in, you're going to get a lot of advice saying "don't allow people to ssh into the root account directly: make them log in to their own accound, and then use su(1) or sudo(1). That's good advice. However, to answer the question that was actually asked: Use the PermitRootLogin option in /etc/ssh/sshd_config to force the people who are going to log in to use key based authentication: PermitRootLogin without-password Then issue each person that should be able to log into the root a/c on the box their own public/private key pair -- ie. get them to run ssh-keygen(1) -- each key should have a different passphrase usable only by the person it's issued to. Copy the public keys into /root/.ssh/authorized_keys on the target machine. Edit that file to add the 'from=3D"pattern-list"' restriction on use of that key -- see the section AUTHORIZED_KEYS FILE FORMAT in sshd(8). Adding no-port-forwarding, no-X11-forwarding and/or no-agent-forwarding as well is usually a good idea. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --s/l3CgOIzMHHjg/5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBZZhiiD657aJF7eIRAtKmAJ9EmP+ZPQC3AOGxDAiPKhMahJ8HUACgiSts DK1QWV4FQUcNC0IlwbTwCKM= =QkKa -----END PGP SIGNATURE----- --s/l3CgOIzMHHjg/5-- From owner-freebsd-security@FreeBSD.ORG Thu Oct 7 22:16:15 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0099816A4CE for ; Thu, 7 Oct 2004 22:16:15 +0000 (GMT) Received: from mail.redefine.org (kevin.khimetrics.com [63.241.155.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id C517743D31 for ; Thu, 7 Oct 2004 22:16:14 +0000 (GMT) (envelope-from coggy@redefine.org) Received: from [10.1.1.2] (home.redefine.org [207.192.249.6]) by mail.redefine.org (Postfix) with ESMTP id 6B59629 for ; Thu, 7 Oct 2004 13:14:17 -0700 (MST) Message-ID: <4165A38F.4040009@redefine.org> Date: Thu, 07 Oct 2004 13:14:07 -0700 From: Kevin User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Oct 2004 22:16:15 -0000 Jim Hatfield wrote: > Now I want to create a new account on one machine which will be > accessible from the Internet as a whole, to be used for tunnelling of > SMTP and POP3. I can't predict what the client IP address will be so I > will have to remove the hosts.allow restriction. Is there any way I > can: have you tried using /etc/login.access? # Login access control table. # # When someone logs in, the table is scanned for the first entry that # matches the (user, host) combination, or, in case of non-networked # logins, the first entry that matches the (user, tty) combination. The # permissions field of that table entry determines whether the login will # be accepted or refused. From owner-freebsd-security@FreeBSD.ORG Fri Oct 8 10:22:55 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 466CE16A4CE for ; Fri, 8 Oct 2004 10:22:55 +0000 (GMT) Received: from highland.isltd.insignia.com (highland.isltd.insignia.com [195.74.141.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9553643D1D for ; Fri, 8 Oct 2004 10:22:54 +0000 (GMT) (envelope-from subscriber@insignia.com) Received: from dailuaine.isltd.insignia.com (dailuaine.isltd.insignia.com [172.16.64.11])i98AMr00018059 for ; Fri, 8 Oct 2004 11:22:53 +0100 (BST) (envelope-from subscriber@insignia.com) Received: from speyburn.isltd.insignia.com (speyburn [172.16.64.16]) i98AMrgF006991 for ; Fri, 8 Oct 2004 11:22:53 +0100 (BST) (envelope-from subscriber@insignia.com) From: Jim Hatfield To: freebsd-security@freebsd.org Date: Fri, 08 Oct 2004 11:22:53 +0100 Organization: Insignia Solutions Message-ID: References: <3203DF3DDE57D411AFF4009027B8C36760563C@exchange-uk.isltd.insignia.com> In-Reply-To: <3203DF3DDE57D411AFF4009027B8C36760563C@exchange-uk.isltd.insignia.com> X-Mailer: Forte Agent 2.0/32.640 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.44 Subject: Re: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Oct 2004 10:22:55 -0000 On Thu, 7 Oct 2004 21:14:07 +0100 , in local.freebsd.security you wrote: >Jim Hatfield wrote: >> Now I want to create a new account on one machine which will be >> accessible from the Internet as a whole, to be used for tunnelling of >> SMTP and POP3. I can't predict what the client IP address will be so I >> will have to remove the hosts.allow restriction. Is there any way I >> can: > >have you tried using /etc/login.access? I didn't know about this - thanks. In fact thanks to everyone for the many helpful replies, I have lots of solutions to choose from now! Jim From owner-freebsd-security@FreeBSD.ORG Fri Oct 8 14:28:54 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C60A16A4CE for ; Fri, 8 Oct 2004 14:28:54 +0000 (GMT) Received: from highland.isltd.insignia.com (highland.isltd.insignia.com [195.74.141.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA86843D39 for ; Fri, 8 Oct 2004 14:28:53 +0000 (GMT) (envelope-from subscriber@insignia.com) Received: from dailuaine.isltd.insignia.com (dailuaine.isltd.insignia.com [172.16.64.11])i98ESq00018909 for ; Fri, 8 Oct 2004 15:28:52 +0100 (BST) (envelope-from subscriber@insignia.com) Received: from speyburn.isltd.insignia.com (speyburn [172.16.64.16]) i98ESqgF007135 for ; Fri, 8 Oct 2004 15:28:52 +0100 (BST) (envelope-from subscriber@insignia.com) From: Jim Hatfield To: freebsd-security@freebsd.org Date: Fri, 08 Oct 2004 15:28:52 +0100 Organization: Insignia Solutions Message-ID: References: <3203DF3DDE57D411AFF4009027B8C36760563C@exchange-uk.isltd.insignia.com> In-Reply-To: <3203DF3DDE57D411AFF4009027B8C36760563C@exchange-uk.isltd.insignia.com> X-Mailer: Forte Agent 2.0/32.640 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.44 Subject: Re: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Oct 2004 14:28:54 -0000 On Thu, 7 Oct 2004 21:14:07 +0100 , in local.freebsd.security you wrote: > >have you tried using /etc/login.access? Hmm, looks like sshd does not consult this file! I'm connecting as user "mis" and the client machine is 172.16.64.16 so I put this at the bottom: +:mis:172.16.64.16 and it let me in from a different machine. I tried adding this below: -:ALL:ALL but it made no difference. I did HUP sshd. jim From owner-freebsd-security@FreeBSD.ORG Fri Oct 8 16:18:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B81D16A4CE for ; Fri, 8 Oct 2004 16:18:10 +0000 (GMT) Received: from corwin.easynet.fr (smarthost143.mail.easynet.fr [212.180.1.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id C452B43D3F for ; Fri, 8 Oct 2004 16:18:09 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from [212.180.127.72] (helo=tatooine.tataz.chchile.org) by corwin.easynet.fr with esmtp (Exim 4.34) id 1CFxRX-0000jp-9I; Fri, 08 Oct 2004 18:18:07 +0200 Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 42952408E; Fri, 8 Oct 2004 18:18:12 +0200 (CEST) Date: Fri, 8 Oct 2004 18:18:12 +0200 From: Jeremie Le Hen To: Jim Hatfield Message-ID: <20041008161812.GC806@obiwan.tataz.chchile.org> References: <3203DF3DDE57D411AFF4009027B8C36760563C@exchange-uk.isltd.insignia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.6i X-Broken-Reverse-DNS: no host name found for IP address 212.180.127.72 cc: freebsd-security@freebsd.org Subject: Re: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Oct 2004 16:18:10 -0000 > >have you tried using /etc/login.access? > > Hmm, looks like sshd does not consult this file! login.conf(5) is indeed the configuration file for login(1) which is not used sshd(8) with the default configuration. You have to use the `UseLogin' option described in sshd_config(5) : UseLogin Specifies whether login(1) is used for interactive login ses- sions. The default is ``no''. Note that login(1) is never used for remote command execution. Note also, that if this is enabled, X11Forwarding will be disabled because login(1) does not know how to handle xauth(1) cookies. If UsePrivilegeSeparation is specified, it will be disabled after authentication. Apart from that, `AllowUsers' and `AllowGroups' have been mentioned multiple times, but it might be easier to use `DenyUsers' and `DenyGroups' options for the described situation. Regards, -- Jeremie Le Hen jeremie@le-hen.org From owner-freebsd-security@FreeBSD.ORG Sat Oct 9 13:49:28 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF3DB16A4CE for ; Sat, 9 Oct 2004 13:49:28 +0000 (GMT) Received: from corwin.easynet.fr (smarthost143.mail.easynet.fr [212.180.1.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C4BF43D1F for ; Sat, 9 Oct 2004 13:49:28 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from [212.180.127.72] (helo=tatooine.tataz.chchile.org) by corwin.easynet.fr with esmtp (Exim 4.34) id 1CGHbB-0002Zw-R0; Sat, 09 Oct 2004 15:49:26 +0200 Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id EDDE1408E; Sat, 9 Oct 2004 15:49:25 +0200 (CEST) Date: Sat, 9 Oct 2004 15:49:25 +0200 From: Jeremie Le Hen To: "Peter C. Lai" Message-ID: <20041009134925.GD806@obiwan.tataz.chchile.org> References: <3203DF3DDE57D411AFF4009027B8C36760563C@exchange-uk.isltd.insignia.com> <20041008161812.GC806@obiwan.tataz.chchile.org> <20041008200739.GF243@cowbert.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041008200739.GF243@cowbert.net> User-Agent: Mutt/1.5.6i X-Broken-Reverse-DNS: no host name found for IP address 212.180.127.72 cc: freebsd-security@freebsd.org cc: Jeremie Le Hen Subject: Re: Question restricting ssh access for some users only X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Oct 2004 13:49:28 -0000 > Is there a way to enforce sshd login restrictions without using login(1)? > (i.e. I want to enforce a specific umask for all ssh logins). AFAIK this should be achievable using the PAM session facility. But I found no `pam_umask' module. BTW it should be pretty easy to implement by derivating an existing session module such as `pam_chroot'. -- Jeremie Le Hen jeremie@le-hen.org