Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Stan McCann
June 23, 2005, 8:42 pm
rate this thread
to being hacked a few times on a Solaris box, I have switched over to a
Linux system which I understand security issues on somewhat better. As
part of the switch, I also no longer allow telnet and ftp but depend on
With this new setup, I've had difficulty allowing newly created users
to access the system without a password so use a generic password that
allows an initial login requiring the user to change it immediately.
This works via the .bashrc calling another script. The second script
deletes itself after a successful password change. It works well and
thanks to "if", gives no errors when the second script no longer
This leaves one problem, however with sftp. Since there is a valid
password for the user account, a person can connect to the server using
sftp without first changing the generic password. What I would like to
do to solve this issue is disallow connection if the password has not
been changed. Ideally, I could set a configuration parameter to not
allow the particular password for sftp. Or, can I check for the
existence of the secondary script and not allow access via sftp if it
Stan McCann "Uncle Pirate" http://stanmccann.us/pirate.html
Webmaster/Computer Center Manager, NMSU at Alamogordo
http://alamo.nmsu.edu/ There are 10 kinds of people.
Those that understand binary and those that don't.
Re: sftp password
That's not true. Certain Linux distributions might have safer default
installations but really any *nix system becomes eash to gain
unauthorized entry to under similar conditions. I do not think the Linux
kernel is any more secure than say the Solaris, FreeBSD or OpenBSD
sftp works via the subsystem, a program as defined in sshd_config e.g.
You can make use of the *nix security model to control access to which
users are allowed to connect via sftp. I tested this out with OpenSSH 3.9
and it worked nicely... create a group like sftpuser and then change the
permissions on the sftp-server binary accordingly.
chgrp sftpuser /usr/libexec/sftp-server
chmod 750 /usr/libexec/sftp-server
Now only members of group 'sftpuser' can sftp into your system. By
default your users won't be a member of this group, so although they can
ssh in they will not be able to sftp in. You can either manually add
confirmed users to the sftpuser group, or come up with a script solution.
A script solution might involve scanning syslog messages for indication
that a user changed their password.
Software design for Windows and Linux/Unix-like systems
- » PortSentry: How To Delete an Entry in Routing Table
- — Previous thread in » Linux Security
- » Cloud Ace Technologies is offering Implementation Services on Cloud Computing, Cloud Serv...
- — Newest thread in » Linux Security