- Posts: 3
- Thank you received: 0
SSH and winSCP
19 years 11 months ago #3860
by nske
Replied by nske on topic Re: SSH and winSCP
Hi,
1. It is simple enough, just create a group for each user (groupadd, usermod -g) and make sure the default permissions that will be applied to newly created files by each user will be have none permissions to "others" (umask) -notice that if a directory doesn't have e(x)ecute access, it can not be accessed regardless if it has (r)ead access.
2. All the exchanged info of the communication will be strongly encrypted in any case since you will be using the ssh protocol. I don't thing that you will have to worry about this normally. As for the proper permissions of the critical files & folders, it is a basic thing that each distribution I know sets fine (I am pretty sure redhat 9 as well). You could modify the permissions yourself though, in case you want to restrict even read access to non-critical configuration files of each application/service. You will find mostly anything in /etc/ folder.
3) Just modify your sshd_config file and use the parameter 'AllowUsers = user1 user2 user3' etc. You can also use the 'PermitRootLogin' setting it to 'no' (I thing that was the default of redhat). Also make sure 'UsePrivilegeSeparation' is set to 'yes', 'protocol' is set to '2' and 'compression' to 'yes' as well.
One final thing, especially in case your users are untrusted, you will want to make sure that your kernel is secure from local vulnerabilities that could result in unauthorized root access. Just follow the updates
1. It is simple enough, just create a group for each user (groupadd, usermod -g) and make sure the default permissions that will be applied to newly created files by each user will be have none permissions to "others" (umask) -notice that if a directory doesn't have e(x)ecute access, it can not be accessed regardless if it has (r)ead access.
2. All the exchanged info of the communication will be strongly encrypted in any case since you will be using the ssh protocol. I don't thing that you will have to worry about this normally. As for the proper permissions of the critical files & folders, it is a basic thing that each distribution I know sets fine (I am pretty sure redhat 9 as well). You could modify the permissions yourself though, in case you want to restrict even read access to non-critical configuration files of each application/service. You will find mostly anything in /etc/ folder.
3) Just modify your sshd_config file and use the parameter 'AllowUsers = user1 user2 user3' etc. You can also use the 'PermitRootLogin' setting it to 'no' (I thing that was the default of redhat). Also make sure 'UsePrivilegeSeparation' is set to 'yes', 'protocol' is set to '2' and 'compression' to 'yes' as well.
One final thing, especially in case your users are untrusted, you will want to make sure that your kernel is secure from local vulnerabilities that could result in unauthorized root access. Just follow the updates
19 years 11 months ago #3862
by nske
Replied by nske on topic Re: SSH and winSCP
There are no stupid questions, just stupid answers 
You could change the permissions recursively (one folder after an other and it's content) with the -R option of chmod, still that's not a necessity since no simple user can write any configuration file by default, and no critical file i.e. /etc/shadow containing the password hashes can be read.
The most that the user can do with his default permissions is browse through, in example, your apache configuration file, which doesn't not contain any sensitive information -that is, information that could directly be used for unauthorized access. Well, of course a security maniac would disagree, with the moto that the fewer information are revealed about the system the more difficult it is to be penetrated, but I'd say that practically it is of no importance in this particular case, especially since we speak about users that allready have local access and the only thing standing between them and root access is the kernel's handling.
Of course you may want to apply other form of restrictions to your users, restrictions in your system's and network's resources (disk space, total bandwidth limit, bitrate limit, prohibit them from opening network sockets, running applications that you consider unwanted etc), but I guess you won't typically need to bother with that.
You could change the permissions recursively (one folder after an other and it's content) with the -R option of chmod, still that's not a necessity since no simple user can write any configuration file by default, and no critical file i.e. /etc/shadow containing the password hashes can be read.
The most that the user can do with his default permissions is browse through, in example, your apache configuration file, which doesn't not contain any sensitive information -that is, information that could directly be used for unauthorized access. Well, of course a security maniac would disagree, with the moto that the fewer information are revealed about the system the more difficult it is to be penetrated, but I'd say that practically it is of no importance in this particular case, especially since we speak about users that allready have local access and the only thing standing between them and root access is the kernel's handling.
Of course you may want to apply other form of restrictions to your users, restrictions in your system's and network's resources (disk space, total bandwidth limit, bitrate limit, prohibit them from opening network sockets, running applications that you consider unwanted etc), but I guess you won't typically need to bother with that.
Time to create page: 0.135 seconds