Archive
Posts in Security
Chroot'ing users with openssh
I recently learned about the new ChrootDirectory in OpenSSH 5.2, and wanted to play around with it to see what it was capable of. To begin my quest, I started off by creating a couple of users that would be chroot'ed to their home directories when they logged into the server with sftp. Once the users were created, I added the following configuration stanza to my sshd_config file to chroot these users when they logged in with their sftp client: Once these directives where added, I started up the daemon in debug mode: Debug mode will cause the daemon to log verbosely to stdout, which is extremely useful for locating problems with new configuration directives. Now that the daemon was running, I tried to login with the user u1: The first attempt was a no go, but luckily verbose logging made debugging this issue a snap: After changing /home/u1 to be owned by root, I was able to login and poke around: This is super useful, though building chroot jails for normal SSH sessions will require a bit more work (i.e., you need to populate the chroot directory with all the config files and binaries needed to run a typical shell session)…
$ read more →OpenSSH's VPN
Most SSH clients have the ability to perform local and remote port forwarding. This is a pretty neat use of SSH if you haven’t ever seen it before. OpenSSH can take it one step further and provide a full VPN solution encrypting all network traffic on all ports between two machines. This is pretty powerful stuff…
$ read more →Respect my ~/.Xauthority !#@$!
South Park is a hilarious show, and I think that Cartman is the best character. One of Cartman's classic lines is "YOU WILL RESPECT MY AUTHORITAH!#!" about X11 Forwarding / SSH, but maybe there is a moral to the story. You have to execute some sort of GUI program on a remote host and it requires root access in order to execute (or you have to change to a different user to execute the GUI with correct permissions)... At first, when you logged into the machine for the first time without X11 forwarding enabled, your ~/.Xauthority file doesn't exist…
$ read more →Building 32-bit openssl libraries with the Sun C compiler
This week I needed to install OpenSSL 0.9.8g on one of my servers. When I went to configure and build the libraries with the Sun C compiler, I noticed that 64-bit libraries were produced by default. It turns out that this is the default behavior if you try to build OpenSSL on a 64-bit platform. To build 32-bit shared libraries, I ran Configure with the "shared" and "solaris-x86-cc" options: There may be other ways to do this, but this method appears to work ok.
$ read more →Logging su attempts and failed logins
As a conscientious Solaris administrator, I make every attempt possible to protect my servers from malicious users. This includes disabling all unneeded services, enabling strong password policies, configuring system auditing, enabling strong network defaults, applying system patches and configuring system logging. When I configure system logging, I like to configure the syslogd daemon to log everything to a centralized location. This is typically accomplished by adding an entry similar to the following to /etc/syslog.conf: *.debug @logserver.prefetch.net Additionally, I like to log each time a user logs into my systems, as well as all attempts to su to another user…
$ read more →