Does not protect from ssh exploits (if any - ever). Whereas _not_ being able to login as root remotely is more secure.

Hmm... I suppose that's true but it does give a me modicum of protection.

All security issues aside, wasn't convenience one of the main goals of KnoppMyth? I bet 98% of us run KnoppMyth behind a firewall, and the remaining 2% know Linux administration well enough to know how to configure ssh the way that they want to. I appreciate all the hard work that the KnoppMyth guys are putting in, but disabling ssh access for the mythtv user seems like more of a hassle than an improvement.

If someone could post the required change to sshd_config, I'd really appreciate it. Or I'll just wait until I get around to installing R5F1 and read the ssh man page...

Boris

You can (and probably should) also set up your /etc/hosts.deny and hosts.allow files to limit access to your machine. Also it isn't a bad idea to run your sshd on a nonstandard port.

If you have sshd on port 22 and it is accessible to the internet, it'll constantly get hammered with scans and attacks...

cat /var/log/auth.log

most of the time you'll quickly spot a large number of login attempts cycling through a dictionary of names. The net isn't a very friendly place these days.

Edit: small sample from my server:

root@bart:~# grep "refused connect" /var/log/auth.log
May 20 07:16:42 bart sshd[11997]: refused connect from 126.90.186.200.sta.impsat.net.br (::ffff:200.186.90.126)
May 20 07:27:13 bart sshd[12069]: refused connect from 126.90.186.200.sta.impsat.net.br (::ffff:200.186.90.126)
May 20 09:20:01 bart sshd[12270]: refused connect from ::ffff:60.191.88.138 (::ffff:60.191.88.138)
May 20 10:37:34 bart sshd[12376]: refused connect from ::ffff:59.74.112.9 (::ffff:59.74.112.9)
May 20 10:49:18 bart sshd[12389]: refused connect from ::ffff:59.74.112.9 (::ffff:59.74.112.9)
May 20 11:04:03 bart sshd[12392]: refused connect from ns3.pupr.edu (::ffff:208.234.55.5)
May 20 11:19:57 bart sshd[12476]: refused connect from ns3.pupr.edu (::ffff:208.234.55.5)
May 20 22:39:24 bart sshd[13618]: refused connect from ::ffff:222.73.0.109 (::ffff:222.73.0.109)
May 20 22:55:29 bart sshd[13623]: refused connect from ::ffff:222.73.0.109 (::ffff:222.73.0.109)
May 20 23:02:01 bart sshd[13624]: refused connect from ns.km21713.keymachine.de(::ffff:84.19.176.211)

... and it continues. Note that the refused connect is a result of the hosts.deny file. If you don't set it, then you'll see actual ssh login attempts, and the frequency of attempts will be much higher.

I'm posting this because I think many people are unaware of how much of this stuff goes on out there. KnoppMyth is supposed to be a convenient distro but I still believe basic security precautions should be turned on as the default.

Also as far as ssh / scp go (or WinSCP)... most (all?) of the stuff on the /myth partition belongs to the mythtv user and mythtv group.

The normal non-root user that you create on the system can be added to that group. Then you can log in as that user on WinSCP and you should be able to copy video-related files just about anywhere you need to.

That sounds good. What steps do you need to perform to accomplish this? Please be complete in your answer.


I looked up the useradd command in the man pages.
Let's face it, the man pages don't give examples to show usage, which makes them less useful.

So, if I use the "useradd abcde" command, how to I assign root privilages to user abcde?

_________________
KnoppMyth R5.5, Asus A8N-VM CSM (nvidia 6150 onboard video), AMD Athlon 64 dual-core 4200+, two 1GB sticks DDR 400, HD-3000 HDTV card, PVR-150 card, Iguanaworks RS-232 IR receiver/transmitter, Pioneer DVR-110 DVD burner

If you need to run as root, you either su or use sudo, there is no, repeat no reason to assign a user account to have root equivalent privileges.

Bruce S.

_________________
Updated 2019/10/26: AthlonII X2 265 Gigabyte GA-970A-DS3P
16Gb PC 1866 DDR3, 500GB+2TB+4TB SATA HDD,
SATA DVD-RW Asus DRW-24D5MT , NVIDIA GeForce GT1080
Hauppauage Nova-T 500, Nova-T LinHes R8.6.1

Not to mention that it causes the same problem as letting "root" login remotely. With apologies to Shakespeare - "A root by any other name is still a root".

Well, I still have a reason for wanting a workaround - WinSCP.

On page 1 of this thread, I explained:
As I understand the various options:
1. open up ssh so that root isn't banned from ssh login
2. move SSH to a non-standard port to protect it from Internet probes
3. make your general user part of the mythtv group so it can read/write to the /myth partition where the video files live
4. give your general user root privilages so it can read/write to the /myth partition

I know how to do #1 and I know its dangerous option, and would prefer not to use it.
I understand that #4 is also a dangerous option and I would prefer not to use it.

Options #2 and #3 seem the way to go.
So, if someone could see their way to explaining, the community would benefit.

Thanks!
Eric

_________________
KnoppMyth R5.5, Asus A8N-VM CSM (nvidia 6150 onboard video), AMD Athlon 64 dual-core 4200+, two 1GB sticks DDR 400, HD-3000 HDTV card, PVR-150 card, Iguanaworks RS-232 IR receiver/transmitter, Pioneer DVR-110 DVD burner

Why would one have to be root to use SCP?

So you can move/edit/create everything. WinSCP and other similar tools (from what I've found) don't let you switch users like ssh.

EXACTLY! This is why a workaround is needed.

(emoticon added later to indicate tone of comment)

_________________
KnoppMyth R5.5, Asus A8N-VM CSM (nvidia 6150 onboard video), AMD Athlon 64 dual-core 4200+, two 1GB sticks DDR 400, HD-3000 HDTV card, PVR-150 card, Iguanaworks RS-232 IR receiver/transmitter, Pioneer DVR-110 DVD burner

No need to scream or get excited. Since you want to do the above as root, you obviously don't care about security. Edit /etc/ssh/sshd_config, remove the last two lines. Restart ssh.

Sorry about that. I didn't mean to imply shouting - just emphesis.

I DO care about security and would like to keep root banned from SSH if possible. That is why I have asked for how-to help with several workarounds , including:

- move SSH to a non-standard port number to hide it from Internet probes
- make your general user part of the mythtv group so it can read/write to the /myth partition using WinSCP

On changing the ssh port number:
As root, do you just edit the /etc/ssh/sshd_config file to change the line "port 22" to some other port number and then issue the "/etc/init.d/ssh restart" command?

On adding your general user to the mythtv group:
As root, do you just edit the /etc/group file and add the general user name to the end of one of those groups? If so, which one?

To refresh you, the goal is to give the general user read/write access to the /myth partition.

_________________
KnoppMyth R5.5, Asus A8N-VM CSM (nvidia 6150 onboard video), AMD Athlon 64 dual-core 4200+, two 1GB sticks DDR 400, HD-3000 HDTV card, PVR-150 card, Iguanaworks RS-232 IR receiver/transmitter, Pioneer DVR-110 DVD burner

Yep. That method is called security through obscurity, and has it's disadvantages.



You could, but probably better to issue a usermod command.


Then you've got to ensure that the group permissions are correct.

You're behind a firewall, why not just use the myth account?