I have several actions that need to be performed on a network of servers.
for these actions i have two options:
manually, this will take a lot of effort and potentially i will need to do it over and over again on different networks.
automatically, with scripts or ansible that do not allow password prompt when connecting with ssh.
some of these actions require root access. for example, the
useradd and groupadd commands need to be used.
also, i will need to change several files in etc and in var folder.
in terms of security, is it safe and acceptable to require passwordless root ssh access so that ansible or others will be able to do it?
if not, is it possible to add an official reference? preferably redhat site or other.
notice that using a sudoer user is not permitted.
I would say no, "passwordless root ssh access" is not secure. However, you can use key based authentication via ssh as root. In other words you can do what you want to do, just not exactly how you described it.
Adding users and groups is a very typical config mgmt task, and a perfect job for ansible. I would suggest creating an ansible playbook that uses the user and group modules rather than running the raw useradd and groupadd commands (See example below). However, this will require setting up the necessary ssh key based authentication.
Ansible can help with that task as well, but you'll have to authenticate with a password in order to setup the key based auth.
https://docs.ansible.com/ansible/latest/modules/user_module.html
https://docs.ansible.com/ansible/latest/modules/group_module.html
- name: Add the user 'johnd' with a specific uid and a primary group of 'admin'
user:
name: johnd
comment: John Doe
uid: 1040
group: admin
Related
linux security and root access question....
I'm setting up a server that has a validator node running on it for a substrate-based blockchain. I was trying to harden the security of my server. I set up ufw for all ports but those necessary for the node to operate. I set up 2FA, SSH with ed25519, and then I was spending time trying to figure out, if for some crazy reason someone got in... how could I stop someone from using systemctl or poweroff with sudo privilages. The goal is maximize uptime and remain in sync with the other nodes at all times.
Anyways, I started blocking bash commands for the user account that allows SSH and blocked SSH to root. Then I blocked a few more commands and thought, what if someone could find their way around this? So, I just started blocking too many things lol. Even though I disabled sudo for the user and blocked a number of commands the user could still use systemctl and stop the service for the node. Eventually I found this guide on how to only allow a few commands for a user.
Update: I didn't properly remove the user from the sudo group. Afterwards they could still use systemctl but the system then allowed systemctl to pop up with an input for the root user password for authentication. Anyways, I just wanted something simple yet secure sooo....
I ended up removing all of the commands from the user and symlinked the su command and renamed it to a random command that only I know. All of the other commands done by the user respond with
-rbash: /usr/lib/command-not-found: restricted: cannot specify /' in command names
I took away bash history and bash autocomplete/tab completion. Now the only thing you can do is guess commands that will get you to the point where you still have to get past my root password. Is there a way for hackers to scan for available commands when there is only one available that is masked in this way?
Anyways, I'm saying all of this because I have always heard best security practices involve "disabling root". Sometimes I see it as just disable root SSH, which i already have done, but sometimes i read it like disable the root account. Some say disable the password and try to divvy it up with sudo privileges so it's more traceable to individual users.
In my case I need to preserve root access in some way but I basically hid everything within the root user. So, if anyone gets access to root it's over. But, it's behind 2FA, SSH, and an unknown command that just gets to where you can try a password to access root.
Am I thinking about this "disable root for security" all wrong and I should disable it completely or does it make sense what I've done so far?
You can also create a SSH key and use this to login to a Linux server, instead of using a password, and do not share your private key.
The following link is a tutorial on how to create a SSH key one, https://www.cyberciti.biz/faq/how-to-set-up-ssh-keys-on-linux-unix/
You could also add user filtering with AllowUsers option in sshd_config file:
AllowUsers admin1#192.168.1.* admin2#192.168.1.* otherid1 otherid2
This allows admin1 and admin2 only from 192.168.1.* addresses and otherid1, otherid2 from anywhere.
i tried to create user "support" with password and listed on etc/sudoers under root account :
#User Privilege Specification
root ALL=(ALL:ALL) ALL
support ALL=(ALL:ALL) ALL
But whenever i use command "sudo su" it just ask the support password and gain the root access. i want the user "support" use root password (not his password) to gain root access.
this is some detail information that what i want :
some VM had been setup by another Sys Admin and when i use command "sudo su" and put support's password it comes notification
user support is not allowed to execute '/bin/su' as root on localhost-server
thank you very much
The behavior you describe is typical for debian based distributions, others follow others setups. Once you think about it you will agree that this actually does make sense from a security point of view: the root password does not have to get shared, so it is not forgotten and does not have to be re-shared with every change. Instead sudo allows a fine grained selection of what single users can do or not, so permissions can also be retracted which is not possible if you use the traditional approach to share the root password.
That said I suggest you start reading the documentation, namely the manual pages of the sudo command suite. At the end of man sudo_root you will find the exact answer of what you ask:
It is possible to "revert" the behavior to the traditional approach by setting a root password, but that is discouraged for security reasons.
This is not a code-related question.
Then don't use sudo. simply use su root or su (which without arguments implies user root), and enter the root password.
I two CentOS 6.5 servers and I have a very complex shell script connecting this two servers and make some backups with root user without password. There is some rsa keys for this.
For security purpes I disabled root login on both servers and I tried to change the script to use a user insted of root but it's doesen't work. I have changed the user rights from /etc/sudoers to user ALL=(ALL) ALL.
If I generate another ssh key with ssh-keygen -t rsa it say me that I don't have permisson and if I use sudo ssh-keygen -t rsa he create me a key for root#server.
I think the problem will be solve if I can change the user rights to run sudo comands without "sudo", like root but I don't know if this it's possible.
Thanks!
To maintain security, yet to accomplish this certain work, you need to do the followings:
Create a new user account, for this certain work only.
Give this user an ssh-key to automatically login without password.
The login shell should not be /bin/bash, for obvious security
reason. You can setup SSH connection to run certain program/command
for this specific user. I don't want to explain the details here.
Please search the web for the answer for this.
Since this program needs root permission, and this user is not the
root, you need to setup an effective executable permission as
root (i.e. setuid). To make it only executable by this certain user (and root),
you need to create a new group, set this user to join this group,
and set the program to be executable by this group (chmod 4770, 4
for setuid, 770 to be executable by the group, and the owner). The
program must be owned by root (so that it setuid to root), with the group assigned
to that certain group. The program can be a binary-executable, or a script.
That does not matter.
Caution: Your setuid program/script must be very careful not to
contain exploitable security weaknesses.
Related to my question: "How can I configure Cassandra to create files with custom rights?". I'm trying to approach the problem from the OS level.
Given two different Linux users - cassandra and tomcat7 - can I give tomcat7 read access rights to all the files which have read access rights by cassandra? The files are only o+rw (so I can't play around with groups); Cassandra keeps creating new files all the time so setting the group permissions manually isn't an option.
You could try changing the default file permission of the cassandra user using umask, assuming the mask isn't hard coded into Cassandra. This would allow you to add tomcat7 to the default cassandra user group with read/write access.
Somewhere in the shell profile or other config file for cassandra there is likely to be a line referencing umask with a setting of 077 or 0077. Replacing the first 7 with a 0 will allow rw for the group on all new files created. It is likely to be in the shell profile as it has it's own user, but it is sometime part of an application configuration file. You will of course need to change the file permissions of existing files, but this should be trivial.
The man pages don't do a brilliant job at explaining the ins and outs of the umask, but there is a nice tutorial on Understanding umask settings on Nix Craft. However, to guard against link rot, googling "linux umask" chucks up a whole bunch of tutorials from everyman and his dog.
There are two ways to do this
1) alter the uid in the password file to be the same for cassandra and tomcat7. Add cassandra and tomcat7 to the same set of groups
To show this actually works
a) add a user, I used the command
sudo adduser likeme --shell /usr/bin/zsh
I added a different shell so it is immediately apparent that this entry is being used
b) alter the uid in the /etc/passwd file. I used this command and edited the file so that the uid for my normal login (jamie) is used as the uid for the new user.
sudo vipw
c) test the new user. Here is what happens
$ who am i
jamie pts/10 2013-11-06 19:04 (:0.0)
$ sudo su - likeme
%
Note the prompt has changed because a different shell is being used. However:
% id
uid=1000(jamie) gid=1000(jamie) groups=1000(jamie)
It still says I am me!!
This is because in a fundamental way the two users are the same. You might say that there are two usernames but only one user.
2) configure sudo to allow tomcat7 to become cassandra
tomcat7 ALL = (cassandra:cassandra) ALL
Assuming you are also interested about non-system users which are supposed to be allowed to act as the other user, I would just allow him to log on as the other user.
If you are reluctant to just give him the password of the other user, then you can allow him to log on via ssh (locally) and pre-shared keys. For this, generate a key (ssh-keygen), store it in ~cassandra/.ssh/ and put the public part also in ~tomcat7/.ssh/authorized_keys. User cassandra should then be able to just switch to the other user using ssh tomcat7#localhost.
I want to build a web based admin tools that allow the system admin to run pre-configured commands and scripts through a web page (simple and limited webmin), what is the best approach?
I already started with Ubuntu installing LAMP and give the user www-data root's privileges !!!
as I learned (please check the link) this is a really bad move !!!, so how to build such web-based system without the security risk?
cheers
I did something like this a couple of years ago. It was (I like think) fairly secure and only accessible to a limited number of pre-vetted, authenticated users, but it still left me with an uneasy feeling! If you can avoid doing it, I'd recommend you do :)
I had a database sitting between the frontend web-tier and the script which was actually executing actions. The relevant table contained a symbolic command name and an optional numeric argument, which was sufficient for my needs. This allows you to audit what's been executed, provides a quick and dirty way to have a non-www user do things, and means if the website is compromised they're constrained by the DB structure (somewhat) and the script which pulls data from it.
The data from the DB can be read by a daemon running in a separate, unprivileged account. The daemon pulls and sanitises data from the DB and maps the 'command' to an actual executable (with a hard-coded map, so commandA executes A, commandB executes foo, and anything else would get flagged as an error). The account can be locked down using AppArmor (or SELinux, I imagine) to prevent it from executing, reading or writing anything you don't expect it to. Have a system in place to alert you of any errors from either the daemon or AppArmor/SELinux.
The executables which the daemon runs can be setuid'd if appropriate, or you can use the sudoers mechanism to allow the unprivileged account to execute them without a password.
I already started with Ubuntu installing LAMP and give the user www-data root's privileges
Don't do this.
If you really want to execute some very specific scripts under root privileged. Create such predefined very limited scripts, allow their password-less execution with sudo for specific user and then run them via script and don't forget authentication.
Generally this is bad idea.
SSH is your best friend.