How to dynamically allow users in OpenSSH? - openssh

I want to be able to block or allow users based on the result of an external script using OpenSSH. I see that libssh has support for callbacks, but after reading the OpenSSH man pages I cannot find anywhere that this functionality is handed to the user.
For example, I'd like to be able to maintain either a file or even an API that contains a username blacklist or whitelist, and have OpenSSH consult these lists during the authentication process.
Ideas I've had so far, and why they are insufficient:
Make use of sshd_config: AllowUsers. This is a start, but since it does not read from a file, it is not dynamic. The configuration file would need to be changed every time and the service restarted. Additionally, modifying the config file from a script is dangerous and terrible.
Make use of sshd_config: AuthorizedKeysCommand. Unfortunately, while this does allow you to specify a script and grant access based on the result, it does not allow denial of access. If the script returns nothing, sshd continues to try other methods of authentication.
Recompile OpenSSH with an addition that implements the libssh callbacks. I'd rather not do this for obvious reasons of maintainability.
Is there another method that I have missed while reading the documentation?

For 2. you could limit authentication to publickey with AuthenticationMethods.
Another option is to use PAM and implement your own PAM authz module.

Option 2 is sufficient if you disable checking authorized_keys:
sshd_config:
AuthorizedKeysCommand /etc/ssh/my-custom-command
AuthorizedKeysUser nobody
AuthorizedKeysFile none
my-custom-command:
# $1 is user, as passed from sshd
#psuedo code:
if $1 is in whitelist:
cat /home/$1/.ssh/authorized_keys
exit 0
else
exit 1

Related

Is it possible to pass username and password in makefile?

Hi I'm using makefile to do lots of compiling and remote works.
In many occasion I would need to type in username and password for remote connection, VPN, code upload and other stuffs.
May it be possible to use makefile to auto type in the credential information?
Thanks a lot!
It is not the role of make to do this kind of thing. So there is no special support in a Makefile for handling credentials.
However, if you can get a shell script to do the "auto-typing" or provide the required credentials some other way, then you should be able to use the same approach in a Makefile.
We can't advise you on how the script would work, because you have given no actual details of the commands etc that you are using for remote access.
But if you are using ssh from a Linux box, you could use public key authentication and ssh-agent and avoid the problem entirely. This would be a lot more secure than:
using user / password auth at all, and
embedding passwords in your makefiles ... for someone else to find when they steal your laptop or whatever.

hiding passwords in shell scripts

I'm writing a bash script that needs login credentials (username and password) to make an API call. The script will eventually become a cron job, so it's not feasible to prompt the user for login credentials. What is the best way to hide the credentials in a bash script?
If you can't set up restricted read permissions on the bash script itself (e.g. only root can read it), the usual approach is to use a separate file, with said restrictions (only root or a dedicated user can read it (chmod 400 filename)).
This is how you store your ssh keys in ~/.ssh/, as well.
If you are worried about someone having full access to your drive, e.g. someone stealing it, try cryptsetup/luks.
If you are worried about someone reading the unencrypted raw device, you might try breaking up the password, and assemble it in memory when needed...
SSHPASS=$_pass sshpass -e ssh -o StrictHostKeyChecking=no $_host
I use this bit for instance and prompt user input to a restricted file, a bit more security not actually passing the variable during SSH session, but instead defining as an env variable. Haven't had many concerns from my work place Security Engineers. You can always do as others stated and have that file already containing creds rather than prompting and do the same here.

HipChat Server login screen limit

Is it possible to restrict access to the HipChat Server login screen for some networks for security reason?
I need to limit only to site root.
Unfortunately, there's not feature right now to allow you to do that directly.
One way you could work around it is to write an script that updates the ngixn configuration to add IP filtering. This question proposes a method to achieve something similar to what you describe (you would need to customize the script to fit into HipChat Server's nginx configuration though):
cat /var/www-allow/client1-allow.conf
allow 192.168.1.1;
allow 10.0.0.1;
cat /etc/nginx/sites/client1.conf
...
server {
include /var/www-allow/client1-allow.conf;
deny all;
}
Try the script manually. Once it works, move the script to /home/admin/startup_scripts/ipfilter (keep the file without extension, and make it executable), so that your configuration stays after reboot and upgrade (/home/admin/startup_scripts contains a few examples of different scripts).

Can I allow a ruby script read access to a file but not the user invoking the script?

I have installed a ruby script (script.rb) on a Linux system that 'requires' another file (required.rb) with a bunch of custom methods.
I do not want to let my users read required.rb.
If i remove read access (i.e. chmod 600 required.rb) and then try to run my script as a user I get the following error:
no such file to load -- /etc/required.rb
Is there away to allow ruby to read this required file but stop users from seeing it?
Whether a process can read a file is governed by the effective UID of the said process. If you change permissions of the file, then processes by the user (including the ruby process) cannot read it.
One solution is to make your ruby interpreter owned by someone else and then make it setuid but this will give it the power to read these "protected" files regardless of what script it runs. In short, don't do this.
An other option is to keep your data somewhere other than on the file system and then use a separate authentication system for that.
The right way in my opinion is to have all the methods in your script but use some kind of a AAA harness that restricts access to methods you don't want the user to run. You can then use any AAA backend to authenticate your user (LDAP, password file etc.).

Check username and password of Windows account

I have an installation package that installs a service process that I create. I'd like to prompt the user for the username/password of the account that the service process should run under. I'd like to verify the the username/password combination are valid before continuing with the installation. I have a C DLL that I am using for special installation behavior, but I can't figure out how to use the Windows API to verify an account's credentials. I'd like to be able to support the same account name syntax used by the service control manager.
The function you want to use is LogonUser. You can even be extra-cool and specify the LOGON32_LOGON_SERVICE flag which checks to make sure the user has the appropriate permissions to run a service.
LogonUser is the canonical way to do this, though Microsoft somewhat discourages it.
I've implemented this using the LogonUser function as you guys have mentioned (by the way, this service requires WinXP SP2 or later so I'm not worried about the privilege issue). However, this isn't quite working as I had hoped. If I call QueryServiceConfig, lpServiceStartName is in the format ".\accountname". If I pass this string as is to LogonUser, it fails. I assume the portion before the '\' represents the machine on which the user belongs?
Also, if I call ChangeServiceConfig specifying "LocalSystem" and "" for the lpServiceStartName and lpPassword parameters respectively, this works fine. However, calling LogonUser with these parameters does not work.
I'd really like to use the same syntax that the SCM uses for the account names.

Resources