Archive
Posts in Security
Using the ssh config file to set specify remote usernames
I periodically need to access remote systems using different userids (I didn't have control over the account creation process, and unfortunately LDAP isn't in use :( ). While I could use the username@host syntax to specify a userid, I find it easier to list the userids in the .ssh/config configuration file. Here is a sample configuration I use on one of my systems: The User directive can be applied to each Host configuration stanza, which allows you to specify a unique userid for each host (or group of hosts) you connect to. There are a number of cool SSH options, which are documented in the ssh_config(5) manual page…
$ read more →Securing CentOS and Fedora installations
I have been doing some Redhat and CentOS security research, and came across several AWESOME links on securing Linux installations: Hardening RHEL5 NSA reference guide for securing Linux installations NSA Guide to securing Linux installations Stack overflow protection with ExecShield
$ read more →Creating home directories on Linux hosts with pam_mkhomedir
I have been converting a number of hosts to LDAP authentication. I'm currently creating user home directories on each server, which has a number of pros and cons. One of the cons is that a newly provisioned user won't have a home directory, all will be assigned "/" as their home directory when they login. This is less than ideal, since most users will need a place to modify files and customize their environment…
$ read more →Disabling SELinux on CentOS Linux hosts
I spend a bunch of time a while back learning how SELinux worked, and it definitely has some useful applications (especially with the tools that were recently added to assist with policy setup). On some of the hosts I support it is overkill, and I disable in one of my kickstart postinstall actions. To disable SELinux, you can change the SELINUX variable to disabled in /etc/selinux/config: If you are performing this action on a running host, you can save a reboot by using the setenforce utility to disable SELinux: If I get some time in the next few weeks, I will clean up my SELinux notes and put them on the main prefetch.net home page.
$ read more →The case of the missing SSH keys
I built a couple of new Solaris 10 hosts today using a stripped down image, and was greeted with the following error when I tried to log in: The server was spitting out "no kex alg" errors, which appear to be due to key exchange issues. I poked around my sshd_config file, and for some reason the host host keys weren't generated when the ssh service initialized. To fix this, I ran the ssh service with the -c option (this generated the RSA and DSA host keys): added the host keys to my sshd configuration file: And then ran 'svcadm refresh ssh' to restart the service. Once that completed, I was able to login to the host…
$ read more →