friendica.eskimo.com

Welcome to Friendica.Eskimo.Com

Home of Censorship Free Hosting

 Eskimo North Linux Shells, E-mail, Virtual Machines, Web Hosting.

E-mail, Web Hosting, Linux Shell Accounts terminal or full remote desktops.

Sign Up For A Free Trial Here

Please tell your friends about federated social media site that speaks several fediverse protocols thus serving as a hub uniting them, hubzilla.eskimo.com, also check out friendica.eskimo.com, federated macroblogging social media site, mastodon.eskimo.com a federated microblogging site, and yacy.eskimo.com an uncensored federated search engine. All Free!
Sandal6823
Sandal6823 via Linux lemmy

Why disable ssh login with root on a server if I only log in with keys, not password?

On a server I have a public key auth only for root account. Is there any point of logging in with a different account?
This entry was edited (2 days ago)
Link to source
106 5
rtxn
rtxn lemmy
It's another slice of Swiss cheese. If the user has a strong enough password or other authentication method through PAM, it might stop or hinder an attacker who might only have a compromised private key, for example. If multiple users have access to the same server and one of them is compromised, the account can be disabled without completely crippling the system.

model used in risk analysis and risk management illustrates that, with layered security, each layer provides protection from certain types of attacks but has weaknesses

Contributors to Wikimedia projects (Wikimedia Foundation, Inc.)
This entry was edited (2 days ago)
Link to source
13
Nanook
Nanook friendica (DFRN)
You can disasble passwords so ONLY keys work, and you can firewall ssh to ONLY IPs you originate from.
Link to source
grrgyle
grrgyle lemmy

Just don't forget to check if your IP has changed if ssh suddenly starts timing out with no error indication no matter what you do and oh god what is actually wrong

I think there's a way to setup an alert for this.

Link to source
0x0
0x0 lemmy
Or use port-knocking.
Link to source
truthfultemporarily
truthfultemporarily lemmy

Its a concept called defense in depth. Without root login now you require the key AND sudo password.

Also, outside of self hosted you will have multiple people logging in. You want them to log in with their own users for logging and permission management.

Link to source
43 1
ShortN0te
ShortN0te lemmy
The sudo password can be easily extracted by modifying the bashrc.
Link to source
Lemmchen
Lemmchen lemmy
And who is going to edit your .bashrc?
Link to source
ShortN0te
ShortN0te lemmy
The attacker that is currently with user privileges on the server?
Link to source
7 9
Lemmchen
Lemmchen lemmy
How did the attacker gain your user's privileges? Malware-infected user installation? A vulnerability in genuine software running as your user? In most scenarios these things only become worse when running root instead.
This entry was edited (2 days ago)
Link to source
13 4
ShortN0te
ShortN0te lemmy

The scenario OC stated is that if the attacker has access to the user on the server then the attacker would still need the sudo password in order to get root privileges, contrary to direct root login where the attack has direct access to root privileges.

So, now i am looking into this scenario where the attack is on the server with the user privileges: the attacker now modifies for example the bashrc to alias sudo to extract the password once the user runs sudo.

So the sudo password does not have any meaningful protection, other then maybe adding a time variable which is when the user accesses the server and runs sudo

Link to source
8 3
miss_demeanour
miss_demeanour lemmy
Simple solution is to not use sudo.
Sorta like Slackware's default.
Link to source
ShortN0te
ShortN0te lemmy
And what do you suggest to use otherwise to maintain a server? I am not aware of a solution that would help here? As an attacker you could easily alias any command or even start a modified shell that logs ever keystroke and simulates the default bash/zsh or whatever.
Link to source
miss_demeanour
miss_demeanour lemmy
$ su -
Link to source
ShortN0te
ShortN0te lemmy
And how would you not be able to hijack the password when you have control over the user session?
Link to source
slothrop
slothrop lemmy
You would have to know the root password.
Link to source
ShortN0te
ShortN0te lemmy
With aliases in the bashrc you can hijack any command and execute instead of the command any arbitrary commands.
So the command can be extracted, as already stated above, this is not a weakness of sudo but a general one.
Link to source
slothrop
slothrop lemmy
You would have to KNOW the root password.
Link to source
ShortN0te
ShortN0te lemmy
No you can alias that command and hijack the password promt via bashrc and then you have the root password as soon as the user enters it.
Link to source
4 4
miss_demeanour
miss_demeanour lemmy
As root:
  # chattr +i /home/ShortN0te/.bashrc

Anything else?
This entry was edited (2 days ago)
Link to source
4
JasonDJ
JasonDJ lemmy
Nah just set up PAM to use TOTP or a third party MFA service to send a push to your phone for sudo privs.
Link to source
miss_demeanour
miss_demeanour lemmy
...and if you don't have your phone attached to your hand...?
Link to source
3 2
JasonDJ
JasonDJ lemmy

I...I don't understand the question.

Also, yubikey or any other token. Plenty of MFA options compatible with sudo.

This entry was edited (2 days ago)
Link to source
1 6
4am
4am lemmy

Then you can’t gain root privileges on your server. Are you really arguing for less security because it’s inconvenient?

This is end-user behavior and it’s honestly embarrassing. You should realize your security posture is much more important than “I left my phone on the other room”

Link to source
miss_demeanour
miss_demeanour lemmy
ffs...am I dealing with children here?
You've accessed your server as a user, and then you su - to root.
You don't need a phone or a yubi or a dreamcatcher, or a unicorn.
Please stop with your pretension.
You're so far out of your league that it's embarrassing to me that I've bothered to answer.
Link to source
1 1
JasonDJ
JasonDJ lemmy

There must at least be MFA somewhere on the path then.

Even just keys, I wouldn't trust, unless they are stored on smartcards or some other physical "something I have", and centrally managed so they can be revoked and rotated. Too many people use unprotected SSH keys.

Link to source
1
WheelchairArtist
WheelchairArtist lemmy
that's why root owns my .bash* stuff
Link to source
SavvyWolf
SavvyWolf lemmy
I don't think that actually works; the attacker could just remove .bashrc and create a new file with the same name.
Link to source
2ndSkin
2ndSkin lemmy
If the .bashrc is immutable, the attacker can't remove it.
That's how it works.
Link to source
SavvyWolf
SavvyWolf lemmy
The home directory would need to be immutable, not bashrc.
Link to source
1
2ndSkin
2ndSkin lemmy

?

It's .bashrc, not bashrc, and .bashrc is in the home directory.
If .bashrc is immutable, it can't be removed from home.

This entry was edited (1 day ago)
Link to source
3
Nanook
Nanook friendica (DFRN)
@ShortN0te @truthfultemporarily What does sudo have to do with ssh keys?
Link to source
BrianTheeBiscuiteer
BrianTheeBiscuiteer lemmy
Doesn't even have to be the key necessarily. Could get in via some exploit first. Either way taking over the machine became a 2-step process.
Link to source
3
☂️-
☂️- lemmy

you would need 2 different exploits for 2 different types of attack though.

its always good to have an extra layer of "oh shit i need another exploit". unless your threat modelling includes nation-states, that is.

This entry was edited (1 day ago)
Link to source
1
lordnikon
lordnikon lemmy
Yes it's always better to login with a user and sudo so your commands are logged also having disable passwords for ssh but still using passwords for sudo gives you the best protection
Link to source
7
grrgyle
grrgyle lemmy

Also double check that sudo is the right command, by doing which sudo. Something I just learned to be paranoid of in this thread.

Unless which is also compromised, my god…

This entry was edited (2 days ago)
Link to source
4
sludgewife
sludgewife lemmy

which sudo will check $PATH directories and return the first match, true. however when you type sudo and hit enter your shell will look for aliases and shell functions before searching $PATH.

to see how your shell will execute 'sudo', say type sudo (zsh/bash). to skip aliases/functions/builtins say command sudo

meh nvm none of these work if your shell is compromised. you're sending bytes to the attacker at that point. they can make you believe anything

This entry was edited (2 days ago)
Link to source
1
ShortN0te
ShortN0te lemmy
Nope, not really. The only reason ppl recommend it is, because "you have then to guess the username too". Which is just not relevant if you use strong authentication method like keys or only strong passwords.
Link to source
4am
4am lemmy

That is absolutely not the reason ANYONE recommends it, unless you are a complete noob and entirely unfamiliar with computer security at all, and are just pulling assumptions out of your ass. Don’t fucking do that, don’t post with confidence when you’re just making shit up because you think you know better. Because you don’t.

If there is a vulnerability in SSH (and it’s happened before), attackers could use that to get into root directly, quickly, and easily. It’s an instant own.

If root login is disabled, it’s way less likely that whatever bug it is ALSO allows them to bypass root login being disabled. Now they have to yeah, find a user account, compromise that, try to key log or session hijack or whatever they set up, be successful, and elevate to root. That’s WAY more work, way more time to detect, to install patches.

If the effort is higher, then this kind of attack isn’t going to be used to own small fry servers; it’s only be worth it for bigger targets, even if they’re more well protected.

If you leave root enabled, you’re already burnt. You’re already a bot in the DDoS network.

And why? You couldn’t be bothered to type one extra command in your terminal? One extra word at the start of each command?

Sorry bitch, eat your fucking vegetables

This entry was edited (2 days ago)
Link to source
3
SirMaple__
SirMaple__ lemmy
The smaller the attach surface the better. Bugs and vulnerabilities can come along any time down the road better to be ahead of the game. Always keep the SSH app and firewall up to date. Plus by using a key on a normal user account and not root you also add another auth step when entering sudo or su - root.
This entry was edited (2 days ago)
Link to source
deadbeef79000
deadbeef79000 lemmy
That server's root access is now vulnerable to a compromise of the systems that have the private key.
Link to source
8
BCsven
BCsven lemmy
Only the server should have the private key. Why would other systems have the private key?
Link to source
forbiddenlake
forbiddenlake lemmy

The client has the private key, the server has the corresponding public key in its authorized keys file.

The server is vulnerable to the private key getting stolen from the client.

Link to source
8
☂️-
☂️- lemmy
it is also vulnerable to whatever ssh exploits can bypass the key
Link to source
x00z
x00z lemmy
Finding an exploit in ssh is worth more than whatever your server has to offer though.
Link to source
1
☂️-
☂️- lemmy

thats a good point. unless you forget to update it in a timely manner.

that includes most servers out there ime, so

This entry was edited (1 day ago)
Link to source
HiddenLayer555
HiddenLayer555 lemmy
A door with the best lock possible is still not as secure as no door at all
This entry was edited (1 day ago)
Link to source
17 1