Scenario 1
Imagine, you have several Admins, all they have their own ser name like tom, john, adam. They all are able to be root. This means that everyone could be root at the same time and issue sensitive commands. Is there a way to determine afterwards who has logged in as root AND who has used which command as root? For example, Tom logged in as root and rebooted the server, or John logged in as root and restarted Tomcat, etc.
Scenario 2
Similar to scenario 1, with the difference that the admins do not have a personal user name, but use a shared user and then log in as root. In this case, is it possible to check afterwards who logged on with the shared username and what he did afterwards as root? Is this logged in the system (IP or other data)
__
Can you recommend a simple, lean authorization concept for root users, with which you can see who did what on the servers? Access to the server should remain largely simple, e.g. via mRemote.
Here is what I think could somehow work for :
Senario 1
You can always watch the content of ~/.bash_history but the user can edit/remove the file.
Also if the user uses su and not sudo, you won't see anything
Senario 2
You can use the sshd logs to see who connected using what have been done here https://serverfault.com/questions/130482/how-to-check-sshd-log
Or in the ~/.bash_login file you can log the $SSH_CLIENT into something (sent it with curls, echo it into a log file), but here also keep in mind that user can edit ~/.bash_login
Related
I am learning Linux and I am learning how to communicate with other users. I am using Ubuntu.
I already have an existing user, and when I try to use the command write to communicate with other user
write lex pts/5
an error pops out:
write: you are uid 1000, but your login is as uid 1001
I thought the shell will allow communication in different uids, but it cannot?
Is there any ways to fix this?
change your UID to 1001
You don't have to create a new user account, promote it to admin, log out, log in to the new admin account, change your primary account's UID, log out, log in to your primary account then delete the new admin user just change your UID. ;)
You can boot into recovery mode (it's an option that appears when you start up your computer, or hold shift right after the BIOS messages complete). This will log you in a root session. Being logged in root and not your usual user account, you will be able to modify your UID.
Because the recovery mode only works in command line interface, once logged into a root session, you will have to:
Use BubbaJ's instructions to remount the root file system in read-write mode: mount -o remount,rw /.
Use Luis Alvarado's command: usermod -u NEW_UID your_username.
Follow ddeimeke's instructions to update file permissions.
Then, reboot your computer (reboot), so you can boot in normal mode.
i want to save the user's IP when he connects to it's home folder, this is because i'm a user in a server where my team has a folder where our public_html is located, but we use the same account, so i just want to register who connected.
So i want to make a script that triggers when a connection is made and save the user's IP into a hidden file.
But i don't know if i could leave running a script in background to do it, and How?
If you're a root on that machine, you can simply check the auth log / messages / journal / ... (depends on the distribution). By default sshd logs all you need already.
If you're not a root, then you'll have to keep in mind this will never be secure. You can do this in the user's bash profile, but:
Since it's running as the same user, whoever logs in can just change the file (you can't hide it)
Anyone can workaround the script by executing some other command instead of the shell (for example ssh user#host /some/command will not be logged)
It's not secret.
If that's ok with you, then you just need to add this to bashrc
echo "new connection at $(date) from ${SSH_CLIENT}" >> ~/your_connection_log
Different solution, which should've been the default actually. Most distributions provide login history which you can request for your account without root privileges.
Running last your_username should give you the details of last few logins which cannot be manipulated by the user. (the log can possibly be spammed with entries however)
The question seems to be quite confusing plz go through it slowly.
We have 2 servers loadbuild/clearcase in which every user has a unique ID and another one is the lab(running on wind-river linux) to which any loadbuild/clearcase user can ssh as **root**#192.xxx.x.x from the loadbuild/clearcase server.
If you observe every loadbuild/clearcase user accesses the lab as a same user i.e. root I wish to find out which user has logged in to the lab and at what time or has given an ssh **root**#192.xxx.x.x from loadbuild/clearcase server to the lab.
You can try following commands on all your servers and see the logging details.
utmpdump /var/log/wtmp
If you login as root/or any other user, then that detail will be avialble on your loadbuild/clearcase server.
The lastlog command will show you who's logged in, when they logged in, and from where they came from.
Sample output:
Username Port From Latest
root pts/1 192.168.1.150 Wed Dec 18 16:57:55 -0500 2013
I'm use an Debian based OS here on my work an i've configured the service for test routines of ERP app...
This service (Tomcat+Java service) it's consumed via HTTP on intranet correctly...but the test leader sometimes need chance the database used by service application and uses SSH to access my machine to change database on config file and restart the service...eventually this person change some service or O.S. config throwing problems to me (on my O.S and others things..).
What i want know is if can i change my password only for SSH service (doesn't change to my KDE/Gnome session), just because the company's policy requires everyone to have a default password on stations...
Remebering that i'm a manager of config, maintenance and others jobs of service to test team...and change database solicitations can made to me.
A simple example:
KDE login if user 'carlos' and password '123456'
SSH login if user 'carlos' and password '4nyJokeHere'
That it's possible ?
Thanks in advance.
Possible? Maybe. You'd probably have to fiddle with pam.d to get SSH authenticating via a different mechanism to KDE etc.
Coming from a different angle, I may be missing something, can you not create a second user for the SSH process, keeping your main user for KDE etc cleanly separate?
I'd really strongly recommend trying to "split" a user into multiple purposes/security groups with differing passwords for each!
You can use authorized_keys to restrict the SSH commands available, and/or sudo...
Update: Some expansion on the subject as requested by the OP
You can limit commands available via SSH by using ~/.ssh/authorised_keys file - see O'Reilly for a good explanation.
I'm was solved this case applying a single rule here. On SSH service i'm was locked access of my user 'carlos --> sudoers' and enable access only for a user called 'padrao' (padrao translated to english is 'default').
This user 'padrao' doesn't have sudoers permissions. If i needed access with SSH my machine i'm do:
ssh padrao#my.intranet.machine
password: ***
$ su carlos
password: ***
This is not the best way to solve, but solved my problem here.
Thanks.
I have written a simple application to authenticate user using PAM the common way: pam_start(), pam_authenticate() + my own conversation function + pam_end().
If application is run under the user who's credentials are being checked, authentication is succeeded. Otherwise, if application is run from user A to check credentials of user B, the authentication is failed. (
My question: why? As a service name passed to pam_start() I have tried also login as well as passwd. Nothing has changed. Which direction to go to debug the problem? Or possibly I should use another pam service to perform the task?
p.s. user 'A' in the second case is a user with no password and /bin/false shell.
How are you checking the "credentials"? Is it some file being read? Can user A read that file?
Service name passed to pam_start does not affect what the process can do. Note that programs that need to do similar things, like su or passwd are actually setuid programs.
Also, watch out not to create security holes in your application/module by allowing user A to impersonate user B.
User A might not have the permission to read the password file /etc/shadow. This is one reason why credential checking programs usually require root privileges.
So: Does it work for user A and user B if you execute the program with root privileges / as the root user?