Disable Remote Logon While Allowing SU on Ubuntu Server 14.04

14.04server

My company is looking to secure our a Ubuntu 14.04 LTS servers and we wanted to disallow specific users the ability to logon remotely, but still allow people to change over to that user account using SU if needed for support purposes. I found the answer to disallowing SSH logins here:

How do I disable remote SSH login as root from a server?

Would this prevent using SU to change to a user who's been disallowed remote SSH logon ?

Specific example: We don't want people logging over SSH using the account 'specadmin' but user 'mary' may need to log-in and SU to 'specadmin' to perform a few special support duties over a SSH connection, is this possible (while not the best model I am sure). We don't have local access to the servers because they are cloud hosted.

Best Answer

No, disabling SSH access in the sshd_config file will not affect the ability to login locally or through the use of su command.

Although you can limit the accounts allowed to connect with SSH as described in the referenced answer (i.e. by setting either DenyUsers specadmin or AllowUsers mary in the /etc/ssh/sshd_config file), it would still be less secure than what is considered a common practice for SSH.

You should not go that way and instead switch to the key-based authentication.

If you are configuring it for the first time, it might seem cumbersome, but as you use cloud services, you can easily add a new server and perform test runs (btw, cloud services usually give you a web access to the console if you lock yourself out).

First you should set (or ensure the following options is set in the sshd_config):

PubkeyAuthentication yes

Then you should generate a key-pair on your client machine (ssh-keygen command on Linux machines) and add the public key to the following file (for mary):

/home/mary/.ssh/authorized_keys

either by copying manually (a key is a string of characters) or using ssh-copy-id mary@<destination_server> command which will upload the key automatically.

You should be able to connect to the server using ssh mary@<destination_server> using the key. If you set the passphrase during ssh-keygen, which you should, you will need to enter it, but it will not be transferred between the client and the server. To be really sure you are doing things correctly set a passphrase to the key file different from the password on the destination server.

If you can successfully login using the key authentication (and passphrase), you can proceed to disabling password based one by adding/ensuring the following settings in sshd_config:

PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
IgnoreRhosts yes
IgnoreUserKnownHosts yes
HostbasedAuthentication no

After the changes to the sshd_config you should of course restart the SSH daemon (sudo service ssh restart) on the server.

For peace of mind you might also want to disallow access via SSH for the root account in the sshd_config (although if you perform the above, root won't be able to login by default):

PermitRootLogin no

Related Solutions

Ubuntu – How to use Google Authenticator with OpenVPN server on Ubuntu 12.04

Ok, Google is my friend.

I did this:

# apt-get purge libpam-google-authenticator
# download https://code.google.com/p/google-authenticator/downloads/list
# apt-get install libpam-dev

Add this to Makefile, right after the license:

LDFLAGS="-lpam"

Then

# make
# make install
# service openvpn restart

Also, make sure /home/username/.google_authenticator has no rights at all except read rights for the user that's going to use it.

Now I need to enter my username that's my local username on the server (my shell account) as my OpenVPN username and the Google Authenticator 6-digit code as the password.

Now it works.

Thank you all for your time :)

(How can I mark this post as solved? Do I just edit the topic title?)

Ubuntu – How to allow LDAP user to change password

in the slapd.conf write access control rule

access to attrs=userPassword   
by self =xw

But you should be aware that specific rules are to be written first and general rule at the end.
for example following rule has to be written at the end.

access to * by * read

for more information visit: http://www.openldap.org/doc/admin24/access-control.html

MORE INFO
slapd.conf is generally located in

/etc/openldap or  
/etc/ldap/ or 
/usr/local/etc/openldap/ or  
/usr/local/etc/ldap/

There are some changes in newer versions of ldap where slapd.conf is supported but by default the data is stored in slapd.d directory. if you put your custom slapd.conf there, the process will read slapd.conf instead of slapd.d directory

Things to notice

sometimes slapd.conf is present in both local as well as global path try changing both
delete slapd.d direcotry as it is default to make slapd.conf work

Best Answer

Related Solutions

Ubuntu – How to use Google Authenticator with OpenVPN server on Ubuntu 12.04

Ubuntu – How to allow LDAP user to change password

Related Question