Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
RUNNING OPENSSH NON-PRIVILEGED
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
nikolei
n00b
n00b


Joined: 15 Dec 2003
Posts: 37

PostPosted: Mon Dec 15, 2003 10:34 am    Post subject: RUNNING OPENSSH NON-PRIVILEGED Reply with quote

Here I want to show how to run the ssh server openssh as a nonprivileged user. This should result in greater security, because if someone was able to use the running service to break into the system, then he can only act with the rights of the running process. Normally, ssh runs with root privileges. This configuration example is only useful, if ssh is used for system administration, because it will accept only one user.

First we have to make a suitable configuration for our non-privileged ssh server. We can find the main configuration in /etc/ssh/sshd_config. Here we bind the server to the address 192.168.1.2 and let the server listen on the non-privileged port 61524. You are free to use any port above 1023. We allow access only for the user nikolei and enable rsa-authentication.

/etc/ssh/sshd_config
Code:
Port 61524
Protocol 2
ListenAddress 192.168.1.2
AllowUsers nikolei
PermitRootLogin no
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile /etc/ssh/authorized_keys2
Subsystem sftp /usr/lib/misc/sftp-server


The user nikolei has the home directory /home/nikolei and the shell /bin/su. So, after logging into the system using a cryptographic key, the user nikolei has to give the root password. Under gentoo linux, you have to put the user nikolei into the group wheel. Otherwise he would not be able to use /bin/su.

After that we have to change the ownership of all the configuration files to the user nikolei. This can be done by executing:

Code:
chown -R nikolei /etc/ssh


In oder to start the openssh server at system startup, we have to make some changes to the runscript /etc/init.d/sshd.

/etc/init.d/sshd
Code:
#!/sbin/runscript

depend() {
    use logger dns
    need net
}

checkconfig() {
    if [ ! -e /etc/ssh/sshd_config ] ; then
    eerror "You need an /etc/ssh/sshd_config file to run sshd"
    eerror "There is a sample file in /usr/share/doc/openssh"
    return 1
    fi
    gen_keys
}

gen_keys() {
    if [ ! -e /etc/ssh/ssh_host_key ] ; then
        einfo "Generating Hostkey..."
        /usr/bin/ssh-keygen -t rsa1 -b 1024 -f /etc/ssh/ssh_host_key -N ''
    fi
    if [ ! -e /etc/ssh/ssh_host_dsa_key ] ; then
        einfo "Generating DSA-Hostkey..."
        /usr/bin/ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N ''
    fi
    if [ ! -e /etc/ssh/ssh_host_rsa_key ] ; then
        einfo "Generating RSA-Hostkey..."
        /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
    fi
}

start() {
    checkconfig || return 1
    ebegin "Starting sshd"
    # if [ -f /var/run/sshd.pid ]; then
        # echo "PIDFile var/run/sshd.pid already exists!!!"
        # echo "Cannot start sshd!!!"
    # fi
    start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid \
    --startas /usr/sbin/sshd --chuid nikolei
    eend $?
}

stop() {
    ebegin "Stopping sshd"
    start-stop-daemon --stop --quiet --pidfile /var/run/sshd.pid
    eend $?
}


There is one problem with this configuration. The openssh daemon wants to create the pid-dile /var/run/sshd.pid. But only root is allowed to do so, not the user nikolei the server is running as. The are three ways to handle this problem:


  1. You can go into the source and change the directory, the openssh server wants to create his pid-file,
  2. You can change groupmemberships or similar things, so that the user nikolei is able to create a file in /var/run/, with all consequences,
  3. or you just run the runscript above (not very clean, but it works, as long as you do not restart the service).


Last but not least we have to assign the runscript to a runlevel, i.e.:

Code:
rc-update add sshd default


and execute it:

Code:
/etc/init.d/sshd start


Finished.


Last edited by nikolei on Mon Dec 15, 2003 11:57 am; edited 1 time in total
Back to top
View user's profile Send private message
vdboor
Guru
Guru


Joined: 03 Dec 2003
Posts: 592
Location: The Netherlands

PostPosted: Mon Dec 15, 2003 10:53 am    Post subject: Reply with quote

This method looks very nice. (and since I'm the only remote user on my system.. :D)

However, I'm wondering, does this also work with password authorisation, and could you post a diff against your original init.d script?

thanks a lot.
_________________
The best way to accelerate a windows server is by 9.81M/S²
Linux user #311670 and Yet Another Perl Programmer

[ screenies | Coding on KMess ]
Back to top
View user's profile Send private message
nikolei
n00b
n00b


Joined: 15 Dec 2003
Posts: 37

PostPosted: Mon Dec 15, 2003 11:54 am    Post subject: password authorisation and ini.d diff Reply with quote

Hi,

I have not tested it with ordinary password authorisation and I am unshure whether I would work. Access to /etc/shadow is only granted for root, and here sshd runs at user nikolei. So I don't think it would work.

Changes to the /etc/init.d/sshd I have made are only the lines I have commented out in the start-section. Additionally, I have added --chuid nikolei to start-stop-daemon --start --quiet --pidfile. That should be all.

nikolei
Back to top
View user's profile Send private message
jesterspet
Apprentice
Apprentice


Joined: 05 Feb 2003
Posts: 215
Location: Atlanta

PostPosted: Mon Dec 15, 2003 11:01 pm    Post subject: Reply with quote

and this is better than
Code:
UsePrivilegeSeparation yes
how :?:
_________________
(X) Yes! I am a brain damaged lemur on crack, and would like to buy your software package for $499.95
Back to top
View user's profile Send private message
nikolei
n00b
n00b


Joined: 15 Dec 2003
Posts: 37

PostPosted: Tue Dec 16, 2003 7:07 am    Post subject: Reply with quote

Hi,

its a good point you have made. As I understand it, using UsePrivilegeSeparation shields you at least from one known remote hole (that was hopefully fixed). But it is an security improvement anyway.

But lets have a look at the manual

Code:
UsePrivilegeSeparation

             Specifies whether sshd separates privileges by creating an un-
             privileged child process to deal with incoming network traffic.
             After successful authentication, another process will be created
             that has the privilege of the authenticated user.  The goal of
             privilege separation is to prevent privilege escalation by con-
             taining any corruption within the unprivileged processes.  The
             default is ``yes''.


As I understand it, the authentication itself is handled by the parent process, so sshd itself (normally running privileged). So every exploit that targets a connection that is not yet established (from the applications point of view) will result in root rights.

The option UsePrivilegeSeparation will create a child process after authentication. So an expliot targeting an already established connection (as far as I know, there is only one exploit like that) will only result rights, the child process has (a good thing).

As far as I know, the weak point of ssh is always the authetication, key exchange etc. that take place first (running privileged).

nikolei
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum