Hi, QUESTION: what implications are there when using the "root" or a root type of account via a port-forwarding ssh-tunnel inside (or on top of) another non-root type of user's ssh-tunnel ? Is such double layer of encryption brings more security or system still vulnerable same as single layer of SSH encryption ? DETAILS: In CentOS (6.3 & 6.4) server side i have done these: (1) Created a user named "administrator". Then by using visudo command, i allowed "administrator" to have higher level of access & permission, similar/close to the "root" user, (not exactly same though). http://wiki.centos.org/TipsAndTricks/BecomingRoot (Basically this "administrator" user has maintenance related software running privilege). (2) Created a user named "non-root", a standard/normal user. (3) In /etc/ssh/sshd_config file i have modified the default configurations into this: # File: /etc/ssh/sshd_config port NNN10 protocol 2 SyslogFacility AUTHPRIV AllowUsers non-root root@127.0.0.1 administrator@127.0.0.1 PasswordAuthentication yes PermitEmptyPasswords no ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes UsePAM yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS X11Forwarding no Banner /etc/issue.net Subsystem sftp /usr/libexec/openssh/sftp-server # End of File: /etc/ssh/sshd_config Above config allows only "non-root" user to connect with CentOS server from internet. And "administrator" or "root" can must/only connect using local ip address 127.0.0.1. In /etc/issue file and in /etc/issue.net file i have placed such text info: *********************************** NOTICE / WARNING TO USERS * This computer system is private property of its owner, Bry8Star. * This message is shown from hostname.sld.tld * It is for AUTHORIZED use only. Any unauthorized or improper use of this system will result in CIVIL and CRIMINAL PENALTIES ... * ... * Your connection IP ADDRESS, PORT, and TIME info etc are recorded by this computer. *********************************** In /etc/profile file, i have placed these below 13 lines just above the "unset i" line, at bottom side: if [ -n "$SSH_CLIENT" ] then set $SSH_CLIENT echo "Your current connection coming from IP Address $1 using port $2, to this computer." else if [ -n "$SSH_CONNECTION" ] then set $SSH_CONNECTION echo "Your current connection coming from IP Address $1 using port $2, to this computer." else echo "Your current connection's IP Address & port could not be shown for now." fi fi In /etc/profile.local file, i have placed these below 13 lines at bottom side: if [ -n "$SSH_CLIENT" ] then set $SSH_CLIENT echo "You have connected from IP Address $1 using port $2" else if [ -n "$SSH_CONNECTION" ] then set $SSH_CONNECTION echo "You have connected from IP Address $1 using port $2" else echo "User's IP Address could not be shown" fi fi Above codes allow me to see what IP:port is currently being used. And after login opensshd by default shows last/previous connection's IP-address or reverse-domain. This helps to see instantly which IP is being used right now or who is attempting to login in simple way. Ofcourse log can show more detailed info. And in client side (user side), i'm using PuTTY or PuTTY based or other SSH client software, with such configurations: SSH-client software has 3 connection profiles. The "ssh-client-01" connection ssh-profile is configured for regular user "non-root", and connects to ip.address.numbers:port (hostname.sld.tld:NNN10) (sld = 2nd level domain, tld = top level domain). This connection profile is also configured to create one encrypted port-forwarding tunnel through the SSH-tunnel: where, local port NNN11, is port-forwarded, to the (local-)port NNN10 inside CentOS server (hostname.sld.tld). The "ssh-client-02" connection ssh-profile is configured for user "administrator", and connects to local ip address 127.0.0.1 on port NNN11 (127.0.0.1:NNN11). This connection profile itself has no port-forwarding tunnels. It uses the forwarding-tunnel of "ssh-client-01" to create SSH-tunnel, toward the ssh-server port NNN10 of CentOS server. The "ssh-client-03" connection ssh-profile is configured with user "root", and connects to local ip address 127.0.0.1 on port NNN11 (127.0.0.1:NNN11). This connection profile itself has no port-forwarding tunnels. It uses the forwarding-tunnel of "ssh-client-01" to create SSH-tunnel, toward the ssh-server port NNN10 of CentOS server. I first connect with CentOS server using "ssh-client-01", then i connect again with CentOS server using the "ssh-client-02". In this way "ssh-client-02" (for "administrator") goes through the encryption layer of "ssh-client-01" (for "non-root"). If i need to use "root" level access/privilege, i do these: sudo one-command options For multiple commands i do these: su - a-command options another-command options exit To switch into another user account (like "GUIuser1", "non-root2") without disconnecting, i do: su GUIuser1 su non-root2 The "ssh-client-03" ssh-profile i use for exceptional purpose, when i absolutely must have to use the "root" account directly, only then. QUESTION: How can i configure opensshd related settings, so that, it shows current ip-address & port used by the current user who is trying/attempting to login ? BEFORE user types in the password. I have placed a text "This is \o | Now it is \t \d | Connection is using \l" in /etc/issue file and also in /etc/issue.net file, but it does not work, just appears as verbatim, (escape sequenced special variables do not get translated/replaced by special values). I want to show the user who is attempting to login, his/her IP-address, port, time, etc to him/her, every time before typing password. QUESTION: what is/are better practice(s) (to secure CentOS server related to SSH) ? QUESTION/Possible-SOLUTION: Should i remove the "root@127.0.0.1" from "AllowUsers" and add "PermitRootLogin no" line in /etc/sshd_config file ? Thanks in advance, -- Bright Star.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos