I want to known is it possible to generate .pem file with some restricted privilege. Like a user with .pem can only list the data but not edit it?
You haven't mentioned what operating system you're using, but it is possible to mark a file as read-only on both Windows and Unix. That permission is independent of whether the connection is over SSH or not, so if you want to make it impossible for SSH users to edit the file, you must restrict logins over SSH to only those users who do not have write permissions and are not the owner of the file.
Related
I two CentOS 6.5 servers and I have a very complex shell script connecting this two servers and make some backups with root user without password. There is some rsa keys for this.
For security purpes I disabled root login on both servers and I tried to change the script to use a user insted of root but it's doesen't work. I have changed the user rights from /etc/sudoers to user ALL=(ALL) ALL.
If I generate another ssh key with ssh-keygen -t rsa it say me that I don't have permisson and if I use sudo ssh-keygen -t rsa he create me a key for root#server.
I think the problem will be solve if I can change the user rights to run sudo comands without "sudo", like root but I don't know if this it's possible.
Thanks!
To maintain security, yet to accomplish this certain work, you need to do the followings:
Create a new user account, for this certain work only.
Give this user an ssh-key to automatically login without password.
The login shell should not be /bin/bash, for obvious security
reason. You can setup SSH connection to run certain program/command
for this specific user. I don't want to explain the details here.
Please search the web for the answer for this.
Since this program needs root permission, and this user is not the
root, you need to setup an effective executable permission as
root (i.e. setuid). To make it only executable by this certain user (and root),
you need to create a new group, set this user to join this group,
and set the program to be executable by this group (chmod 4770, 4
for setuid, 770 to be executable by the group, and the owner). The
program must be owned by root (so that it setuid to root), with the group assigned
to that certain group. The program can be a binary-executable, or a script.
That does not matter.
Caution: Your setuid program/script must be very careful not to
contain exploitable security weaknesses.
I have a user called ec2-user and by this user I am getting connected to my EC2 instance by the help of the pem file I am able to connect to the machine,
Now I have added this user to the sudoers list by this command:
echo 'ec2-user ALL=(ALL) ALL' >> /etc/sudoers
This command executed successfully but after that when ever I want to do sudo its asking for password, when there is no password on the ec2-user.
Now, I have some of the questions:
If this is the wrong way, why Linux allows it to complete the command?
If this is right, then how to give the password?
If this I did in wrong way, how can I come back to my normal situation?
Thanks all
If this is the wrong way, why Linux allows it to complete the command?
No point in blaming Linux, It assumes that you have password set for an user.
If this is right, then how to give the password?
No, you can't provide a pasword because there is no pasword
If this I did in wrong way, how can I come back to my normal
situation?
Only way out is to boot the machine in single user mode and undo your changes. Unfortunately, you cannot boot an EC2 instnace into single user mode. Check with Amazon support whether they can help you with that.
You are pretty have run out of options. Create a new instance and then copy over your data by attaching EBS volume of this instance.
I assume you are using Amazon Linux AMI. For this AMI, by default the only account that can log in remotely using SSH is ec2-user. Also by default, password authentication is disabled to prevent brute-force password attacks. You must provide your key pair to the instance at launch, as you have already done. Please note that ec2-user has sudo privileges by default. When you do sudo, you don't have to enter any password. When you changed the sudoers file manually, you kind of changed the setting to require the password for any sudo operation by user ec2-user. Sorry that I don't know a easy way to get back to normal. I would suggest launching a new AMI instance and terminating your old one.
I am writing script which contains smbget -u user -p password smb://host/share/file command. Is there any way to hide password parameter in this script? Script will be used on computer which is shared by multiple users. I want to give them opportunity to download file without showing my password.
The comment provided by Marc is correct. You can work around the problem by using mount.cifs (possibly via AutoFS if required) and taking advantage of the credentials option during mount - that option allows you to store the password in a non-user readable location.
mount.cifs //some/server /mnt/somewhere -o credentials=/root/credentials_file ...
Your script could mount this location and retrieve the file for the user (or just give the users access to the location). You'd need to have an appropriate entry in your /etc/fstab file or configured with AutoFS to make it work with your script.
An alternative would be to write the script using something which can be compiled - it's not secure for a number of other reasons, but might fit your bill.
I'd like to edit Solr configuration files on my linux box via a samba share. The files need to be tomcat6:mygroup, but when I edit the files via windows, it writes them as myuser:mygroup. Is it possible to change the write settings for a single samba share so it preserves the existing user, group and permissions?
Is this something that can be done via Samba configuration, or is something trickier needed?
You should include an appropriate force user statement into your smb.conf. I'm assuming your Samba share's name is smbshare:
[smbshare]
....
force user = tomcat6
....
You can find out more details via man smb.conf. The important points are: tomcat6 needs to be a user on the system. Your connection to the [smbshare] needs to take place with valid user credentials. Once connected all file operations will be performed under the credentials of tomcat6 though. (You don't seem to want an additional setting of force user = ..., which is also possible....)
Update: You said you wanted to "preserve the existing user, group and permissions". Note, that my suggestion doesn't do that. It forces all edited files to be owned by tomcat6:mygroup instead of preserving the original settings. Maybe this is good enough for your purpose.
I use rsync to mirror a remote server. It is said that using a root password with rsync is dangerous, so I created a special rsync user. It seems to work fine, but cannot copy some files because of file permissions. I want to mirror whole directories for backup, and I guess this cannot be done without using root password, I mean if root does not give permissions on a specific files, no other account can read them. Is there other solutions and why shouldn't I use root account in rsync (I only do one way copying, that does not effect source).
If you want the whole server, then yes, you need root. However, instead of "pulling" (where you have a cron on your local server that does "rsync remote local"), can you possibly do it by "push" (where you have a cron on the remote server that does "rsync local remote"?) In this case, you won't need to configure the remote server to accept inbound root connections.
One option is to use an ssh login as root, but using ssh pubkey authentication instead of a password. In general, pubkeys are the wya to go, if you want to automate this later.
You'll want to look into the PermitRootLogin sshd_config setting, in particular the without-password setting or, if you want to get even more sophisticated and (probably) secure, the forced-commands-only setting.
Some useful links:
http://troy.jdmz.net/rsync/index.html
http://www.debian-administration.org/articles/209