severely depressed
@covad.net
| reply to fritzmp
Re: Little Known Tips and Tricks...
Since you bring up the sshd_config script, I do have a question.
Can you prohibit the login of other users besides root this way? If so, how?
I ask because my leetle old mother compete with foo-foo dog (pomeranian) insists on simple login passwords. She claims to be feeble minded (-heh-). So I'd like to have remote access for me via 'ssh' and prohibit remote login of all other users on her machine.
TIA
 |
|
Drunkula
Premium
join:2000-06-12
Denton, TX
 ·Verizon FIOS
| reply to dom6791
For an easy way to see if any users have a root account I run this simple script.#!/bin/bash
echo =====
echo The following accounts have root access:
echo =====
cut /etc/passwd -f1,3 -d: |grep :0 | cut -f1 -d:
Then I add a cron job to run it weekly and pipe the output of the script to "mail myusername@drunkula.net -s "Weekly root report". That way I get a weekly email and will easily see if anybody added themselves as a root account. It can be useful if your systems are used by lots of people.
Most likely there is a more elegant way to do it (I'm no shell programmer). Still it works well enough.
--
New owner of the "drunkula.net" domain.
[text was edited by author 2003-03-05 22:34:20] |
|
thorgod
I've modeled explosions, BIG explosions
join:2001-07-30
Las Vegas, NV
 ·Embarq
| reply to dom6791
So this is pretty well known but it's one of those *tricks* not many know or remember:
Ok, lets say you're logged into a system that doesn't have a text editor installed at all or that you like, what do you do? (don't laugh, this will happen to you) Anyway, what you do is use cat as a file editor. Pretty much you cat >> file and then input whatever text and end the file with a cntrl+d. Everything you have written then is in the file (actually, it should be appended to the file).
Get good with sed, awk, perl or whatever and you'll be able to edit any file anytime this way Or...well there's a billion ways to do things in Linux, I'm sure you all get the point by now heh
--
"Unix gives you enough rope to shoot yourself in the foot." |
|
fritzmp
Biker Tux
Premium
join:2001-08-29
Warrenton, VA
clubs:
| reply to severely depressed
said by severely depressed:
Since you bring up the sshd_config script, I do have a question.
Can you prohibit the login of other users besides root this way? If so, how?
I ask because my leetle old mother compete with foo-foo dog (pomeranian) insists on simple login passwords. She claims to be feeble minded (-heh-). So I'd like to have remote access for me via 'ssh' and prohibit remote login of all other users on her machine.
TIA
You can
edit and add to /etc/pam.d/login
auth required /lib/security/pam_listfile.so onerr=succeed item=user sense=deny file=/etc/nologinusers
vi /etc/nologinusers
and users one per line you wish to deny access
easier and better
edit /etc/security/access.config add
-:ALL EXCEPT you_user_or_group
This is good to use with the previous post above.
PAM is pretty versatile and you can restrict allow by day time location as well as users and groups.
--
NTFS Killed My Parents. Get Freed A small band of FreeBSD users are working together in the shadows, observing, honing their skills, building their numbers, and plotting their future.
[text was edited by author 2003-03-05 22:58:03] |
|
cwnorris
join:2000-01-17
Longmont, CO
 ·Mesa Networks
| said by fritzmp  :
You can
edit and add to /etc/pam.d/login
easier and better
edit /etc/security/access.config
This is good to use with the previous post above.
If you don't use PAM or are running a distro that doesn't have /etc/security/access.conf (Slack has neither), you can use the sshd_config to set this:
AllowUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. If specified, login is allowed only for
users names that match one of the patterns. `*' and `'? can be
used as wildcards in the patterns. Only user names are valid; a
numerical user ID is not recognized. By default, login is
allowed for all users. If the pattern takes the form USER@HOST
then USER and HOST are separately checked, restricting logins to
particular users from particular hosts. |
|
KE7JFF
SKU CHECK
join:2001-12-01
Hillsboro, OR | reply to severely depressed
Having Problems with the kernel or hardware? Use this command:
tail /var/log/messages
it shows what going on with the kernel, as well as some other system activities. |
|
Viggen93
Premium,VIP
join:2002-04-16
Hamilton, ON
 ·Cogeco Cable
| reply to dom6791
Wireless cards can be configured using the iwconfig (as opposed to ifconfig for wired cards) located in the /sbin directory. For example, I was pretty beefed that I only connected at 2Mbps when the basestation lives in the next room, so I used "iwconfig eth0 rate 11M" to change it, once I verified it works, I added the correct settings to the wireless.opts file so it would use 11Mbps upon every boot.
Also when editing configuration files where I am not 100% sure of the end result I add comments telling me what I did, what the old values were and why I changed the value (comments in config files start with #), that way if the changes aren't what I anticipated I can easily change them back.
And, as always, google is your friend!!!
--
Isn't air travel wonderful? Breakfast in London, dinner in New York,luggage in Brazil. |
|
MrH
join:2001-07-18
Lynnwood, WA | reply to dom6791
my most favorite, quick reformat 
rm -fr /
weeee
oh and myother fav command is
shutdown -r now
weeee |
|
Viggen93
Premium,VIP
join:2002-04-16
Hamilton, ON
·Cogeco Cable
| reply to dom6791
To the linux newbie, DO NOT take MrH first tip seriously unless you want to remove your entire OS. It's like me telling someone who can't remember their e-mail password to "use the windows password recovery utility fdisk /mbr". Though I will admit, the shutdown command is useful .
--
Isn't air travel wonderful? Breakfast in London, dinner in New York,luggage in Brazil. |
|
bbrkdub
join:2001-10-03
Houston, TX
·Comcast
| reply to KE7JFF
quote:
Having Problems with the kernel or hardware? Use this command:
tail /var/log/messages
Don't forget you can watch for data as it's being appended.
# tail -f *logfile*
--
Hope this helps... |
|
rocketspeed
No Tag
Premium
join:2000-01-24
Murrieta, CA | reply to fritzmp
Great tip ---
Seems like Mandrake 9 enables root login by default. I have been asked during installation on other installs whether or not to allow root login.
Just don't forget to restart the sshd .
> service sshd restart |
|
linicx
Caveat Emptor
Premium
join:2002-12-03
United State
·CenturyLink
| reply to dom6791
Once upon a time the ifup command was used to open the modem and start a private chat session, and the ifdown command was used to close the modem. You might want to check if it is still valid. It's been 3-4 years since I had a Linux machine.
Cheers! |
|
seriously depressed
@covad.net
| reply to cwnorris
This was the clue I was looking for. And wonder of wonders, after I read your post, it occurred to me to look at:
# man sshd_config
And I found what you were quoting from.
For some reason, I assumed all the comments in sshd_config were all the documentation there was ...
Doh!
And thank you |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
·Optimum Online
| reply to rocketspeed
said by rocketspeed :
Just don't forget to restart the sshd .
> service sshd restart
Not to dis the Linux distros or anything, but if you want to "grow beyond" the "service blah blah" scripts and restart daemons, there are other ways to do this. Perhaps one day you'll have to work on a system (linux or otherwise) that does not have a bunch of rc.d scripts.
Many daemons like to put files in "/var/run/". You'll probably find something like "/var/run/sshd.pid". Other daemons may have similarly named files there; ie: daemonname.pid.
Let's say you want to HUP sshd to have it re-read it's config (this will NOT kill your current connection). You can do something like this:
kill -HUP `cat /var/run/sshd.pid`
That results in sending the sshd process a HUP signal. The stuff between the backticks will be executed, so this is the equivalent of "cat'ing" the /var/run/sshd.pid file, reading the result (which is just the process id of the parent sshd process) and then typing "kill -HUP xxx".
To follow on to Steve's xargs madness, let's say you've got some daemon process that is just running away. It's spawning more and more processes and "service blah stop" is not doing anything for you. Here's a cute way to kill all of those processes with the "big hammer":
ps -auxwww | grep "daemonname" | awk '{print $2}' | xargs kill -9
That will seek out all processes running named "daemonname", awk is snatching the second column that has the pid number, and xargs passes that as an argument to the big hammer called "kill -9". Use that one wisely, or start with a "-1". You can match on anything in the ps output as well, such as a particular username. I use a lot of "w's" with ps in case the program is started with an insanely long path. |
|
Eatmeingreek
Gentard
join:2001-06-29
San Francisco, CA
| said by sporkme :
ps -auxwww | grep "daemonname" | awk '{print $2}' | xargs kill -9
Not to nitpick, but "-aux" are the correct ps switches for BSDish Unices ( sporkme is down with *BSD.) For AT&Tish Unices I suggest "-efa". I believe Linux won't choke on "-aux", but I'm pretty sure Solaris will.
--
We must destroy liberty to make the homeland safe for democracy |
|
fritzmp
Biker Tux
Premium
join:2001-08-29
Warrenton, VA
clubs:
| reply to cwnorris
said by cwnorris :
said by fritzmp :
You can
edit and add to /etc/pam.d/login
easier and better
edit /etc/security/access.config
This is good to use with the previous post above.
If you don't use PAM or are running a distro that doesn't have /etc/security/access.conf (Slack has neither), you can use the sshd_config to set this:
AllowUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. If specified, login is allowed only for
users names that match one of the patterns. `*' and `'? can be
used as wildcards in the patterns. Only user names are valid; a
numerical user ID is not recognized. By default, login is
allowed for all users. If the pattern takes the form USER@HOST
then USER and HOST are separately checked, restricting logins to
particular users from particular hosts.
I was playing around and find that for ssh sessions cwnorris method is the easiest and safests for no0bs.
NEXT BIG TIP
When working on tightening up authentication and security have Two Terminals Open because if you lock your self out of your box you will then learn about single user login to recover.:)
PAM and Login will lock you out at the box, so take heed.
--
NTFS Killed My Parents. Get Freed A small band of FreeBSD users are working together in the shadows, observing, honing their skills, building their numbers, and plotting their future. |
|
shdesigns
Powered By Infinite Improbabilty Drive
Premium
join:2000-12-01
Stone Mountain, GA
·Atlantic Nexus
| reply to dom6791
A lot of things need to be done as root. You can login as root, but often that is disabled for remote access.
Use the su command to switch to any user. With no parameters it selects root.
However, a common problem is to do:
home# su
That will switch you to the root user but will not get you a root login. Use:
home# su - (or -l)
That will load the root profile (- or -l does login.) Most importantly that gets you the root PATH so you can run sbin utilities without having to type the whole path.
Of course RTFM:
man su
man sudo ('do something as root'
--
Scott Henion
Embedded Systems Consultant, shenion on #ATUhttp://shdesigns.org |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to fritzmp
said by fritzmp :
NEXT BIG TIP
When working on tightening up authentication and security have Two Terminals Open because if you lock your self out of your box you will then learn about single user login to recover.:)
PAM and Login will lock you out at the box, so take heed.
Everybody learns this eventually, and the only question is "easy way" or "hard way" |
|
bgrundy
join:2002-01-25
Sykesville, MD
| reply to dom6791
Speaking of terminals... I posted this awhile back about using virtual terminals
--
"If you continue to use Windows, your system may become unstable" --BSOD |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to dom6791
The oldest UNIX FAQ I know about: "How do I remove a file whose name begins with a dash" (because the filename gets confused with an option), and the answer is to prefix it with dot-slashcode:
$ rm ./-troublesome-filename
|
|
