DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 2nd July 2008
milo974 milo974 is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 58
Cool obsd 4.3 secure ssh use

Hello, i'm newbie in openbsd.
I ve installed Openbsd 4.3 with pf (with NAT)
I ve a user : admin (not in wheel group) ; in /etc/sudoers i ve put :
admin ALL=/usr/sbin/vi /etc/pf.conf
admin ALL=/usr/sbin/pfctl

I have ssh access(with admin)to this firewall and so, i can change rules.
It works perfect. is it enough in security?
In my config, what is best way : use chroot or systrace? (for pf use in ssh environment)
thank's

Last edited by milo974; 2nd July 2008 at 12:56 PM. Reason: more precision
Reply With Quote
  #2   (View Single Post)  
Old 2nd July 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by milo974 View Post
It works perfect.
Then you may have used chmod(1) or chown(8), or both, in order to provide rw access to /dev/pf. It is filemode 600 and owned by wheel:root in the default install.
Quote:
....is it enough in security?
It depends what you mean by the word security. We don't know what you mean by the word, or what else you've done, or what you intend.

Example, if you allow password authentication, and SSH access is exposed to the Internet, then I would consider your solution insecure. Others might think strong passwords are sufficient. Still more might recommend using a non-default port number. I wouldn't. But then, I don't know what you mean by "security."
Quote:
In my config, what is best way : use chroot or systrace?
I don't see how either would apply to shell commands.

First, ask yourself, "What is it I wish to accomplish?" Once you have the answer, then you can search for a technical solution, and ask for advice or best practice. Don't start with technical tools, and ask if they apply to an ill-defined solution.
Reply With Quote
  #3   (View Single Post)  
Old 2nd July 2008
milo974 milo974 is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 58
Default

the ssh access is exposed to internet, and password authentification.
Root cant connect to ssh access.
admin account is restricted :cant use su command ; can use only sudo vi /etc/pf.conf or sudo pfctl -f /etc/pf.conf.
My system is a colander ? in security terms ?

what i wish is when admin is connected, i want to change system root (chroot) and have an access to modify pf.conf and reload it. How can i do that ?

Last edited by milo974; 2nd July 2008 at 06:37 PM. Reason: more precision
Reply With Quote
  #4   (View Single Post)  
Old 2nd July 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Do you have a colander? Maybe, maybe not. Things to think about:

Password authentication

As I mentioned above, I don't think passwords are good security.

How strong is your "admin" password? Any 8-character password can be broken by brute-force in a matter of days; if a dictionary attack is used and the password contains words or word fragments, it can be broken in a weekend. That's not good.

My recommendation: disable password authentication, and use alternative authentication methods.

OpenBSD supports many authentication technologies (see login.conf(5) for most), including Kerberos and physical token systems. For simplicity with SSH, I happen to like public key authentication when keys can be stored remotely, and S/Key one-time-use passphrases when they can't (see skey(1) and related man pages).

Sudo limitations

You are allowing vi(1) to be executed as root. Once in the editor, the "admin" user can request a shell, and they will then have a root shell without restriction and without audit history.

If you are trying to limit what "admin" can do, you must only permit the execution of programs that that do not allow shell escapes.

------------------------------------------------------

If you are "admin" and you are trying to limit damage should someone acquire the password .... your best solution is to not use passwords, or not use them alone.

Current commercial best practice is to require binary authentication -- two different things:
  1. Something you have (token device, binary key, biometric, etc.)
  2. Something you know (passphrase, password, PIN, etc.)
Reply With Quote
  #5   (View Single Post)  
Old 2nd July 2008
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by milo974 View Post
admin account is restricted :cant use su command ; can use only sudo vi /etc/pf.conf or sudo pfctl -f /etc/pf.conf.
While sudo(8) provides finer access granularity, the reason you are unable to use su(1) is most likely due to the account lacking membership in the wheel group. For more information, see Section 10.1 of the FAQ:

http://openbsd.org/faq/faq10.html#wheel

As a newcomer to OpenBSD, you will save yourself significant time & aggravation by familiarizing yourself with the entire FAQ now while you are searching for common configuration answers.
Reply With Quote
  #6   (View Single Post)  
Old 3rd July 2008
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Default

Quote:
Originally Posted by jggimi View Post
You are allowing vi(1) to be executed as root. Once in the editor, the "admin" user can request a shell, and they will then have a root shell without restriction and without audit history.

If you are trying to limit what "admin" can do, you must only permit the execution of programs that that do not allow shell escapes.

You should change it to force vi to run with the -S flag -> which forces the 'secure' option on (which can not be disabled without restarting vi without the -S switch afaik).


While 'secure' is set on in Vi, the user can not :! escape to a prompt or use external programs from within vi.



This is however, not to say that one could never conceivably bypass this attempt at a security feature.


It would also be ideal, that if you must make Vi available so easy -- to make sure to have a bloody log of it's actions if possible.


The script program can't log vi's actions properly but it can log ex, which is trivial to switch to vi mode.
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
  #7   (View Single Post)  
Old 3rd July 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

If the goal is to allow a normal user, "admin" -- to edit /etc/pf.conf and issue pfctl commands, then neither sudo nor su are required. Instead:
# chown admin /etc/pf.conf /dev/pf
----

There are many ways to accomplish any mission. The appropriate question is not, "How do I use X?" but rather, "I need to get something done. What are some of the ways I can do it?"
Reply With Quote
  #8   (View Single Post)  
Old 3rd July 2008
milo974 milo974 is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 58
Default

so, if i remove password auth in sshd_config and put public key auth.
chown admin /etc/pf.conf /dev/pf
remove admin from wheel group
remove sudo commands (vi ; pfctl)
Is it enough in security terms

Thank's !
Reply With Quote
  #9   (View Single Post)  
Old 3rd July 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

If your goal is to have "admin" be able to manage PF, but not have any other administrative capability, then yes.
Quote:
...remove admin from wheel group...
You started this thread by stating that "admin" was not a member of wheel.
Reply With Quote
Old 3rd July 2008
milo974 milo974 is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 58
Default

I have summarized
thank's !
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Cannot connect to IRC (network issues within OBSD?) guitarscn OpenBSD General 10 4th September 2009 12:35 PM
Restore OBSD Over SSH revzalot OpenBSD Installation and Upgrading 16 2nd September 2009 06:45 PM
unable to install Postfix from ports on OBSD 4.3 Pollywog OpenBSD Packages and Ports 25 22nd July 2008 03:32 AM
obsd 4.3 chrooted sftp permissions? luismi OpenBSD General 4 12th July 2008 11:39 PM
Cacti performance OBSD vs. CentOS ai-danno General software and network 8 3rd July 2008 08:51 PM


All times are GMT. The time now is 06:15 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick