- Posts: 3
- Thank you received: 0
SSH and winSCP
20 years 5 months ago #3859
by techi
SSH and winSCP was created by techi
Hi, im new to this forum and hope someone here can help me.
I have a RH9 system with SSH setup and three users who want to be able to access their files where ever they go.
They will be using Winscp to copy files over the internet.
my questions are:
1.how to i setup the permissions so that these users can only access their home folder nothting else, and only root will have access to the system folders?
2.what other security measures do i need to take so that only these three users can use the system and their communication (atleast passwords ) are enctypted.
3.what do i have to do to lock the root accont to only local logon.
appreciate any suggestions
Thanx
I have a RH9 system with SSH setup and three users who want to be able to access their files where ever they go.
They will be using Winscp to copy files over the internet.
my questions are:
1.how to i setup the permissions so that these users can only access their home folder nothting else, and only root will have access to the system folders?
2.what other security measures do i need to take so that only these three users can use the system and their communication (atleast passwords ) are enctypted.
3.what do i have to do to lock the root accont to only local logon.
appreciate any suggestions
Thanx
20 years 5 months ago #3860
by nske
Replied by nske on topic Re: SSH and winSCP
Hi,
1. It is simple enough, just create a group for each user (groupadd, usermod -g) and make sure the default permissions that will be applied to newly created files by each user will be have none permissions to "others" (umask) -notice that if a directory doesn't have e(x)ecute access, it can not be accessed regardless if it has (r)ead access.
2. All the exchanged info of the communication will be strongly encrypted in any case since you will be using the ssh protocol. I don't thing that you will have to worry about this normally. As for the proper permissions of the critical files & folders, it is a basic thing that each distribution I know sets fine (I am pretty sure redhat 9 as well). You could modify the permissions yourself though, in case you want to restrict even read access to non-critical configuration files of each application/service. You will find mostly anything in /etc/ folder.
3) Just modify your sshd_config file and use the parameter 'AllowUsers = user1 user2 user3' etc. You can also use the 'PermitRootLogin' setting it to 'no' (I thing that was the default of redhat). Also make sure 'UsePrivilegeSeparation' is set to 'yes', 'protocol' is set to '2' and 'compression' to 'yes' as well.
One final thing, especially in case your users are untrusted, you will want to make sure that your kernel is secure from local vulnerabilities that could result in unauthorized root access. Just follow the updates
1. It is simple enough, just create a group for each user (groupadd, usermod -g) and make sure the default permissions that will be applied to newly created files by each user will be have none permissions to "others" (umask) -notice that if a directory doesn't have e(x)ecute access, it can not be accessed regardless if it has (r)ead access.
2. All the exchanged info of the communication will be strongly encrypted in any case since you will be using the ssh protocol. I don't thing that you will have to worry about this normally. As for the proper permissions of the critical files & folders, it is a basic thing that each distribution I know sets fine (I am pretty sure redhat 9 as well). You could modify the permissions yourself though, in case you want to restrict even read access to non-critical configuration files of each application/service. You will find mostly anything in /etc/ folder.
3) Just modify your sshd_config file and use the parameter 'AllowUsers = user1 user2 user3' etc. You can also use the 'PermitRootLogin' setting it to 'no' (I thing that was the default of redhat). Also make sure 'UsePrivilegeSeparation' is set to 'yes', 'protocol' is set to '2' and 'compression' to 'yes' as well.
One final thing, especially in case your users are untrusted, you will want to make sure that your kernel is secure from local vulnerabilities that could result in unauthorized root access. Just follow the updates
20 years 5 months ago #3862
by nske
Replied by nske on topic Re: SSH and winSCP
There are no stupid questions, just stupid answers
You could change the permissions recursively (one folder after an other and it's content) with the -R option of chmod, still that's not a necessity since no simple user can write any configuration file by default, and no critical file i.e. /etc/shadow containing the password hashes can be read.
The most that the user can do with his default permissions is browse through, in example, your apache configuration file, which doesn't not contain any sensitive information -that is, information that could directly be used for unauthorized access. Well, of course a security maniac would disagree, with the moto that the fewer information are revealed about the system the more difficult it is to be penetrated, but I'd say that practically it is of no importance in this particular case, especially since we speak about users that allready have local access and the only thing standing between them and root access is the kernel's handling.
Of course you may want to apply other form of restrictions to your users, restrictions in your system's and network's resources (disk space, total bandwidth limit, bitrate limit, prohibit them from opening network sockets, running applications that you consider unwanted etc), but I guess you won't typically need to bother with that.
You could change the permissions recursively (one folder after an other and it's content) with the -R option of chmod, still that's not a necessity since no simple user can write any configuration file by default, and no critical file i.e. /etc/shadow containing the password hashes can be read.
The most that the user can do with his default permissions is browse through, in example, your apache configuration file, which doesn't not contain any sensitive information -that is, information that could directly be used for unauthorized access. Well, of course a security maniac would disagree, with the moto that the fewer information are revealed about the system the more difficult it is to be penetrated, but I'd say that practically it is of no importance in this particular case, especially since we speak about users that allready have local access and the only thing standing between them and root access is the kernel's handling.
Of course you may want to apply other form of restrictions to your users, restrictions in your system's and network's resources (disk space, total bandwidth limit, bitrate limit, prohibit them from opening network sockets, running applications that you consider unwanted etc), but I guess you won't typically need to bother with that.
Time to create page: 0.124 seconds