Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Thread Tools Display Modes
  #1   (View Single Post)  
Old 28th October 2010
phyro phyro is offline
Port Guard
Join Date: Sep 2010
Posts: 27
Default root logins

Ive been trying to find a way to completely lock down my server from all local and remote root connections without the use of a usb key. ? is it possible to require any root commands to require a encrypted usb key?

Hence eliminating the possibility of logging in (locally or remotely) or executing any root level command without a proper secondary key?

The other question i had was .. is it possible to limit the number of root connections to 1 ? ie if a term was open with root logged into it.. make it impossible to su, sudo or log in on any other term, local or remotely?

Would such a configuration prevent to possibility of someone installing a rootkit or similar method to gain root access or execute a command as root?

The thought being that someone must have the secondary encryption key OR physically have access to the server keyboard? and of course my last question is how to require a password on the "blank" screen saver in tty?

I know it may sound kinda overkill but the servers set up and runs awesome so theres no need to ever log into or restart it. I just want to make it exceedingly difficult to gain root access.. (and yes the pw's is bulletproof)

Reply With Quote
  #2   (View Single Post)  
Old 28th October 2010
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223


Some of these requirements probably can't be met without some extensive modifications, possible some additional support programs.. but maybe you can explain why you're so paranoid?

Physical security is difficult, disabling root access wouldn't prevent someone from booting from external media.. they could also remove the hard disk.. or do a multitude of other simple local attacks.

That said, you can edit /etc/ttys and remove all instances of "secure", with this nobody will be able to login as root, as documented in ttys(5).

You could also remove the graphics card and use a serial port for on-site maintenance, depending on the level of modifications you're willing to make, you could modify the kernel to prevent vga(4) and other wscons(4) devices from attaching.

For SSH, there is an option to prevent root logins, enable that.. and nobody will be able to directly login using the root account, however non-root users in the wheel group still have access to su(1) and sudo(8) and can elevate permissions.

When a user is logged in, any attempts to run login(1) actually run an instance of su(1) instead, if you read the man page you'll notice that the wheel group plays an importance.. an unsuspecting user may conclude that having no users in the wheel group would be a good idea, but the opposite is true, if the wheel group is empty then su(1) permits all users to attempt a root login.. which will succeed if they know the root password, if however you designate 1 or more accounts to wheel only they will be able to.

Fortunately on OpenBSD, you must edit /etc/sudoers before sudo(8) is a risk.

Now, assuming you configure your system to prevent root logins directly, you will most likely have one user in the wheel group.. as is wise... this account needs to have a good password, but some would also argue that this account is a good candidate for attacks, disallowing password authentication for SSH would be wise as would periodically changing the password.

At the end of the day, the best plan is to only give accounts to people you trust not to abuse the right.

Good luck.
Reply With Quote
  #3   (View Single Post)  
Old 28th October 2010
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
Join Date: May 2008
Location: USA
Posts: 6,446

Authentication for users at signon is managed by login.conf(5), where you could provision the authentication system you desire for root, including devising your programs that check for a USB key, mother's maiden name, or the phase of the moon.

Physical access to the platform means physical access. Any ninjas that enter your facility can bring their own keyboard and do whatever they want, without your USB key or the root password.
Reply With Quote
  #4   (View Single Post)  
Old 28th October 2010
phyro phyro is offline
Port Guard
Join Date: Sep 2010
Posts: 27

ahh, ok right on thanks guys..

I don't have any data worth stealing anyways, my desire to make a 'DND secure" server is for my personal accomplishments... That being to make a server so secure that it could be considered mission critical. (I suppose seeing hows i cant exactly walk into a university and take a course on bsd) tinkering is the best option..

I have removed secure from tty's (does that also include remote root logins?)terms, (thats a good one, thanks) as well I selected "no" to root log ons for ssh during install.. not sure where that option is kept tho. Thanks for info on soduers file thats cool. I didn't realize there was a file to control that. thanks.. As for wheel users I do only have 1 user in that group that i only use to su and start services, then quit. again with bullet proof password..

I'm going to have to make the login conf my next project. (i'm not a guru for sure) so thats cool. gald you guys are around to point me and others in the right direction thanks again!

I just read through 4.8 .. can't wait for those cd's to arrive
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
root on ZFS gkontos FreeBSD Installation and Upgrading 12 18th December 2009 09:43 AM
ssh root Nk2Network OpenBSD Security 22 8th April 2009 06:59 PM
NTOP as root sniper007 FreeBSD Security 0 27th January 2009 07:42 PM
Wheel Can't su root MetalHead OpenBSD General 2 22nd November 2008 12:44 AM
Enable root logins and solving display issues? disappearedng FreeBSD General 5 7th June 2008 10:24 PM

All times are GMT. The time now is 09:19 PM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick