|
|||
obsd 4.3 secure ssh use
Hello, i'm newbie in openbsd.
I ve installed Openbsd 4.3 with pf (with NAT) I ve a user : admin (not in wheel group) ; in /etc/sudoers i ve put : admin ALL=/usr/sbin/vi /etc/pf.conf admin ALL=/usr/sbin/pfctl I have ssh access(with admin)to this firewall and so, i can change rules. It works perfect. is it enough in security? In my config, what is best way : use chroot or systrace? (for pf use in ssh environment) thank's Last edited by milo974; 2nd July 2008 at 12:56 PM. Reason: more precision |
|
|||
the ssh access is exposed to internet, and password authentification.
Root cant connect to ssh access. admin account is restricted :cant use su command ; can use only sudo vi /etc/pf.conf or sudo pfctl -f /etc/pf.conf. My system is a colander ? in security terms ? what i wish is when admin is connected, i want to change system root (chroot) and have an access to modify pf.conf and reload it. How can i do that ? Last edited by milo974; 2nd July 2008 at 06:37 PM. Reason: more precision |
|
||||
Do you have a colander? Maybe, maybe not. Things to think about:
Password authentication As I mentioned above, I don't think passwords are good security. How strong is your "admin" password? Any 8-character password can be broken by brute-force in a matter of days; if a dictionary attack is used and the password contains words or word fragments, it can be broken in a weekend. That's not good. My recommendation: disable password authentication, and use alternative authentication methods. OpenBSD supports many authentication technologies (see login.conf(5) for most), including Kerberos and physical token systems. For simplicity with SSH, I happen to like public key authentication when keys can be stored remotely, and S/Key one-time-use passphrases when they can't (see skey(1) and related man pages). Sudo limitations You are allowing vi(1) to be executed as root. Once in the editor, the "admin" user can request a shell, and they will then have a root shell without restriction and without audit history. If you are trying to limit what "admin" can do, you must only permit the execution of programs that that do not allow shell escapes. ------------------------------------------------------ If you are "admin" and you are trying to limit damage should someone acquire the password .... your best solution is to not use passwords, or not use them alone. Current commercial best practice is to require binary authentication -- two different things:
|
|
|||
Quote:
http://openbsd.org/faq/faq10.html#wheel As a newcomer to OpenBSD, you will save yourself significant time & aggravation by familiarizing yourself with the entire FAQ now while you are searching for common configuration answers. |
|
||||
Quote:
You should change it to force vi to run with the -S flag -> which forces the 'secure' option on (which can not be disabled without restarting vi without the -S switch afaik). While 'secure' is set on in Vi, the user can not :! escape to a prompt or use external programs from within vi. This is however, not to say that one could never conceivably bypass this attempt at a security feature. It would also be ideal, that if you must make Vi available so easy -- to make sure to have a bloody log of it's actions if possible. The script program can't log vi's actions properly but it can log ex, which is trivial to switch to vi mode.
__________________
My Journal Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''. |
|
||||
If the goal is to allow a normal user, "admin" -- to edit /etc/pf.conf and issue pfctl commands, then neither sudo nor su are required. Instead:
# chown admin /etc/pf.conf /dev/pf---- There are many ways to accomplish any mission. The appropriate question is not, "How do I use X?" but rather, "I need to get something done. What are some of the ways I can do it?" |
|
|||
so, if i remove password auth in sshd_config and put public key auth.
chown admin /etc/pf.conf /dev/pf remove admin from wheel group remove sudo commands (vi ; pfctl) Is it enough in security terms Thank's ! |
|
||||
If your goal is to have "admin" be able to manage PF, but not have any other administrative capability, then yes.
Quote:
|
|
|||
I have summarized
thank's ! |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Cannot connect to IRC (network issues within OBSD?) | guitarscn | OpenBSD General | 10 | 4th September 2009 12:35 PM |
Restore OBSD Over SSH | revzalot | OpenBSD Installation and Upgrading | 16 | 2nd September 2009 06:45 PM |
unable to install Postfix from ports on OBSD 4.3 | Pollywog | OpenBSD Packages and Ports | 25 | 22nd July 2008 03:32 AM |
obsd 4.3 chrooted sftp permissions? | luismi | OpenBSD General | 4 | 12th July 2008 11:39 PM |
Cacti performance OBSD vs. CentOS | ai-danno | General software and network | 8 | 3rd July 2008 08:51 PM |