Add User to Saltstack for PAM and CherryPy - cherrypy

I'm trying to get the SaltStack salt-api working...
I've added my external_auth configuration to /etc/salt/master
external_auth:
pam:
myuser:
- .*
According to docs, this gives username myuser permission to run all modules on the minions.
I've also added this to /etc/salt/master:
rest_cherrypy:
port: 8000
ssl_crt: /etc/pki/tls/certs/localhost.crt
ssl_key: /etc/pki/tls/certs/localhost.key
I can successfully connect to https://localhost/login:8000 but my question is, how do I add myuser and specify a password? How does salt-api know about myuser?

You've specified external PAM auth which:
"respects the current PAM configuration in place, and uses the 'login' service to authenticate.". It means that:
This is just plain system user
In order to add/modify user you can simply:
useradd -r myuser
echo 'myuser:mypassword' | chpasswd

Related

Just registered GitLab runner and getting Authentication failure when using shell type

Just installed GitLab runner service and tried to run a basic job.
I got the following output:
Password: su: Authentication failure
ERROR: Job failed: prepare environment: exit status 1. Check https://docs.gitlab.com/runner/shells/index.html#shell-profile-loading for more information
Googling, I found that the contents of the .bash_logout may be a problem, but my .bash_logout was blank. I created and added ssh keys for the gitlab-runner user, and was able to manually clone via ssh, but I can't get the job to run. Anyone experienced this that can offer a suggestion?
I found the issue was in the pam file. root couldn't su to gitlab-runner
Background story: GitLab runner is running as root user, in order to retrieve for example the /etc/gitlab-runner/config.toml file. If your gitlab-runner is already running rootless you might want to remove the --user gitlab-runner from the systemd service file. However, most likely your Gitlab Runner is running as root.
If you increase the security on your host machine and disable the root user and the su command. You could enable this again by editing /etc/pam.d/su file and set:
auth sufficient pam_rootok.so
Or only allow the root user to use the su command to only switch to the gitlab-runner user (without password):
auth [success=ignore default=1] pam_succeed_if.so user = gitlab-runner
auth sufficient pam_succeed_if.so use_uid user = root

Password for default system user created in JupyterHub

I am running Jupyter-Hub with default authenticator and default spawner. Logged in to Jupyter-Hub with system username (admin). I added a new user called user1 in JupyterHub web console. The user got created in both the machine and Jupyter-Hub server as I added c.Authenticator.create_system_users = True in the config file. When I checked the machine users, user1 is added because of the above property added in the config file. Can anyone tell me what is the password for user1 as there is no password option to be given in Jupyter-Hub? I tried with empty, user1, 12345 and 123456.
I was trying to switch user by using su command. i.e su user1. It asks for the password.
when i cat /etc/shadow this is what i got,
user1:*:121212:0:99999:7:::
As stated in the docs (https://github.com/jupyterhub/jupyterhub/blob/master/docs/source/getting-started/authenticators-users-basics.md#use-localauthenticator-to-create-system-users), this option essentially acts like the adduser command. Even on command line this just creates the user, you cannot login to this user before you set a password via the passwd command.
Also, like the docs said, it is not recommended when JupyterHub users are directly mapped onto UNIX users, probably in part because of this password limitation...

how to control users login on Linux machine according to configuration file

I have Linux red-hat machine version 6.x
This machine is a server machine that serve many users ( 2000 diff users that login to this machine )
Login/password
Login – root
Password – Pass123
But on Some users I want to disable the login access
And all other users I want to enable the login access to the machine
As the following way
I want to create file - /etc/logins_users.txt
#Users disable/enable
Uhdwe 0
Hdec 0
Tfsge 1
Okdejb 0
Wfdxdswh 1
.
.
.
.
.
.
remark - User name is Uniq Name
So if user get value 0 then the access to the server is denied
but if value is 1 then users will login to the server
So the Question is how to disable/enable users login according to the file /etc/logins_users.txt ?
If you are using PAM to authenticate, you may use the pam_listfile.so module to achieve this: http://linux.die.net/man/8/pam_listfile
Basically you create a file here e.g. /etc/logins_users.txt with content
user1
user2
user3
and in your PAM configuration for e.g. /etc/pam.d/sshd you need to add:
auth required pam_listfile.so item=user onerr=fail sense=allow file=/etc/logins_user.txt
Doing so allows all users specified in your file to login via SSH.
nano /etc/ssh/sshd_config
Append following names (directives):
DenyUsers User1 User2 WhatEverYouLike
DenyGroups root finadmin WhatEverYouLike
Save, restart sshd

Cant connect to FTP with newly created account

I am trying to connect to a new user account I created via SSH with the command
useradd -s /bin/false -d /home/username james
I added/edited the password via SSH with the command
passwd james
When trying to connect to my server using this user and pass via FileZilla I get the following error messages.
Response: 331 User James OK. Password required
Command: PASS *****
Response: 530 Login authentication failed
Error: Critical error
Error: Could not connect to server
When I try to login with this user/pass through SFTP I get the following error messages
Status: Connected to domain.com
Error: Connection closed by server with exitcode 1
Error: Could not connect to server
Either way it seems it doesn't allow me to use this newuser anywhere.
My server details
Linux 2.6.18-308.11.1.el5 GNU/Linux
(Red Hat 4.1.2-52)
Centos
Regarding FTP, the FTP server commonly used on Linux systems requires users to have a shell that's listed in the file /etc/shells. For example, this online ftpd man page says that, among other things, "The user must have a standard shell returned by getusershell(3).". The page for getusershell() shows that it reads shells from /etc/shells.
You could probably make FTP work adding /bin/false to /etc/shells. Your Linux system might have a more suitable shell available, like /usr/sbin/nologin.
Regarding SFTP, the ssh server normally provides SFTP service by by invoking a program called sftp-server. If you examine the server's sshd_config file, you'll probably find a line like this:
Subsystem sftp /usr/lib/openssh/sftp-server
sshd runs the subsystem program as a shell command, using the user's shell. If you set the user's shell to /bin/false, then sshd ends up running the command:
/bin/false -c /usr/lib/openssh/sftp-server
/bin/false ignores its command-line arguments and exits with code 1, so the SFTP client's session drops immediately after it starts.
sshd has an internal SFTP server component that can be used instead of the external program. The usual way of limiting SSH access to SFTP for some users is to set up a Match group within sshd_config, forcing the internal-sftp command for certain classes of users. Here are a couple examples of that:
http://en.wikibooks.org/wiki/OpenSSH/Cookbook/SFTP#SFTP-only_Accounts
https://serverfault.com/questions/354615/allow-sftp-but-disallow-ssh
Dont use "-s /bin/false". Use "-s /sbin/nologin" instead and it should be fine.
Make sure your account password hasn't expired. Mine did, and Filezilla exited with error code 1.
After logging onto the server and updating the account password (prompted immediately after connecting), I am now able to connect with SFTP & Filezilla.
Probably is a password related issue, check account
chage -l <user>
account must not be expired.
FTP doesn't allow /usr/sbin/nologin user
Response: 220 Welcome to the Scent Library's File Service.
Command: USER ftpuser
Response: 331 Please specify the password.
Command: PASS ******
Response: 530 Login incorrect.
filezilla 530 error - but password is correct
vsftpd: 530 Login incorrect
530 Login or password incorrect!
How can I connect via FTP using FileZilla? I get a 530 error.
Response: 220 Welcome to Test FTP service.
Command: USER ftpuser
Response: 331 Please specify the password.
Command: PASS ******
Response: 530 Login incorrect.
Error: Critical error
Error: Could not connect to server
Change user's shell
usermod -s /usr/sbin/nologin username
Then edit "/etc/shells" file and add this line
/usr/sbin/nologin
In order to connect to the server using ftp, you also need to run a ftp server / service or daemon.
An example of such ftp server is "vsftpd"
After installing it, you will also need to configure it and allow anonymous ftp access or ftp access to existing users
You will find the configuration file in the path "/etc/vsftpd/vsftpd.conf"
The below link might be useful for you --
https://www.digitalocean.com/community/tutorials/how-to-set-up-vsftpd-on-centos-6--2

Permissions - Apache and Pure-FTPd - How to set?

I have a big doubt how to setup Apache and Pure-FTPd. I don't know how set folder permissions and secure users to not access other folders outsite their home directory.
My scenario:
Apache running defaults (group apache, user apache)
Pure-FTPd using Pure-DB (internal database, not Linux users) - installed using group "ftpusers" and user "ftpuser"
all sites in /sites
I did:
chown apache:apache /sites -R
To create an user on Pure-FTPd:
pure-pw -u myuser -d /sites/onesite -u ftpuser -g ftpusers
pure-pw mkdb
This way I can connect to a FTP account but cannot transfer (permission denied) or delete files.
I can set all /sites to 777 but I know this is not correct. I want to know the correct way, so users can upload/delete files, Apache can read/write files in each website, and if a user upload something to try read outside the /sites directory he gets an error.
Please, help me to secure my webserver using Apache and Pure-DB, plus Linux permissions.
Thank you!
Roger
Not sure if this is correct: I've created the FTP user using "apache:apache"
pure-pw -u myuser -d /sites/onesite -u apache -g apache
pure-pw mkdb
and set:
chmod 770 /sites -R
So everything runs on apache:apache.
Same issue here. I solved it lowering /etc/pure-ftpd/conf/MinUID to my www-data UID number. Though I'd like to know if there is a better solution.

Resources