LinHES Forums :: View topic - R5F1 security workaround

I understand the reasons that users root and mythtv were disabled in ssh in version R5F1.

I use WinSCP as a GUI file browser for the Knoppmyth box, so I would like to be able to log in with root privilages using WinSCP.

Can I create a user and give that user root privilages, so I can work around the ssh blockage of the root account?

Hopeful,
Eric

neutron68 wrote:

I haven't had a chance to install R5F1, but you should be able to login via SSH as a normal user and su to root.

If your question was how to add a user, check the man pages for useradd.

But neutron66 is saying he uses WinSCP. not SSH.

slowtolearn wrote:

If your question was how to add a user, check the man pages for useradd.

Well, not entirely. I was asking if it is possible to give another user account the root privilages.

I am considering the following 2 workarounds:

1. edit the /etc/ssh/sshd_config to allow root to use ssh again or

2. create another account (call it 'god') and give 'god' root priviliages. With option 2, I can leave the root account banned from ssh and still have an account with a different name that also has root privilidges.

Eric

Are your KM boxen behind a firewall?

I can't see another option, given the FAQ spa|V| pointed to. Given this, I would use option 2, but make it an odd username and strong password.

Is there a reason you're using WinSCP? is there a more secure way to do what you need?

I use WinSCP like a graphic file browser.

I may not understand the security implications of this fully but...

I don't see much difference between allowing root login from the internet and allowing a user to log in with root privileges from the internet.
<snip>

I often edit fils with WinSCP.
Maybe it's wrong, but it seems to work.

So how do I do this change so I can log in as root from WinSCP with Putty.

I need to log in as root with WinSCP to be able to change files.

I hope you understand my problem, I'm a sort of newbe.

:oops:

Author:	neutron68 [ Sat May 12, 2007 7:15 pm ]
Post subject:	R5F1 security workaround - FOUND!
I understand the reasons that users root and mythtv were disabled in ssh in version R5F1. I use WinSCP as a GUI file browser for the Knoppmyth box, so I would like to be able to log in with root privilages using WinSCP. Can I create a user and give that user root privilages, so I can work around the ssh blockage of the root account? Hopeful, Eric

Author:	slowtolearn [ Sat May 12, 2007 7:26 pm ]
Post subject:	Re: R5F1 security workaround?
neutron68 wrote: I understand the reasons that users root and mythtv were disabled in ssh in version R5F1. I use WinSCP as a GUI file browser for the Knoppmyth box, so I would like to be able to log in with root privilages using WinSCP. Can I create a user and give that user root privilages, so I can work around the ssh blockage of the root account? Hopeful, Eric I haven't had a chance to install R5F1, but you should be able to login via SSH as a normal user and su to root. If that isn't to your liking, take a look through /etc/ssh/sshd_config (assuming R5F1 still uses OpenSSH, and the config file is still in the same location) for more options. If your question was how to add a user, check the man pages for useradd.

Author:	Too Many Secrets [ Sat May 12, 2007 7:28 pm ]
Post subject:	Re: R5F1 security workaround?
slowtolearn wrote: neutron68 wrote: I understand the reasons that users root and mythtv were disabled in ssh in version R5F1. I use WinSCP as a GUI file browser for the Knoppmyth box, so I would like to be able to log in with root privilages using WinSCP. Can I create a user and give that user root privilages, so I can work around the ssh blockage of the root account? Hopeful, Eric I haven't had a chance to install R5F1, but you should be able to login via SSH as a normal user and su to root. This worked for me.

Author:	spalVl [ Sat May 12, 2007 7:36 pm ]
Post subject:
But neutron66 is saying he uses WinSCP. not SSH. From the WinSCP page http://winscp.net/eng/docs/faq_su But you have have to change your /etc/sudoers around to allow your install account to su without password or edit /etc/ssh/sshd_config to allow root like mentioned above.

Author:	neutron68 [ Sat May 12, 2007 7:44 pm ]
Post subject:	Re: R5F1 security workaround?
I am able to ssh into the machine with a user account and then issue the 'su' command and login as root. That works ok in ssh, but I can't do that in WinSCP. When you log into WinSCP, you can only use that particular account, as far as I can tell. slowtolearn wrote: If your question was how to add a user, check the man pages for useradd. Well, not entirely. I was asking if it is possible to give another user account the root privilages. I am considering the following 2 workarounds: 1. edit the /etc/ssh/sshd_config to allow root to use ssh again or 2. create another account (call it 'god') and give 'god' root priviliages. With option 2, I can leave the root account banned from ssh and still have an account with a different name that also has root privilidges. Eric

LinHES Forums http://forum.linhes.org/

R5F1 security workaround - FOUND! http://forum.linhes.org/viewtopic.php?f=6&t=15204	Page 1 of 3

Author:	slowtolearn [ Sat May 12, 2007 7:45 pm ]
Post subject:
spalVl wrote: But neutron66 is saying he uses WinSCP. not SSH. Absolutely right spa\|V\|, my bad. I saw "were disabled in ssh" and missed or overlooked the WinSCP reference. Careful with changing the PermitRootLogin directive though, especially if the box is exposed to the 'net (which I assume it is). Best to allow the sudo method... EDIT: Although the sudo method doesn't seem to be very secure either! /EDIT

Author:	slowtolearn [ Sat May 12, 2007 7:56 pm ]
Post subject:	Re: R5F1 security workaround?
neutron68 wrote: slowtolearn wrote: If your question was how to add a user, check the man pages for useradd. Well, not entirely. I was asking if it is possible to give another user account the root privilages. I am considering the following 2 workarounds: 1. edit the /etc/ssh/sshd_config to allow root to use ssh again or Are your KM boxen behind a firewall? neutron68 wrote: 2. create another account (call it 'god') and give 'god' root priviliages. With option 2, I can leave the root account banned from ssh and still have an account with a different name that also has root privilidges. Eric I can't see another option, given the FAQ spa\|V\| pointed to. Given this, I would use option 2, but make it an odd username and strong password. If you have the know-how you could allow root from within your LAN only with iptables/ipchains and go with option 1. Is there a reason you're using WinSCP? is there a more secure way to do what you need?

Author:	neutron68 [ Sat May 12, 2007 8:10 pm ]
Post subject:	Re: R5F1 security workaround?
slowtolearn wrote: Are your KM boxen behind a firewall? Yes they are. slowtolearn wrote: I can't see another option, given the FAQ spa\|V\| pointed to. Given this, I would use option 2, but make it an odd username and strong password. Is there a reason you're using WinSCP? is there a more secure way to do what you need? I use WinSCP like a graphic file browser. I really hate the command line interface when I'm searching various directories for a particular file or just taking inventory of what files are inside a particular directory. The command line just slows me down and gives me carpal tunnel syndrome I also like to see all the filenames inside the window. So, WinSCP is a pretty quick and easy way to poke around many directories and see what files are located where. I kinda like the compromise aspect of option 2. Now, I just need to learn how to give root priviledges to a regular user account with an odd username. Eric

Author:	tjc [ Sat May 12, 2007 9:49 pm ]
Post subject:
You can open access with a limited IP range... See man sshd for the details.

Author:	crushinator [ Sun May 13, 2007 4:56 am ]
Post subject:	Re: R5F1 security workaround?
neutron68 wrote: I use WinSCP like a graphic file browser. You could use a combination of putty, Xming, and a Linux graphical file manager (Konqueror?) to run a Linux file manager on your Windows computer in a client/server style. Sometimes I'll do this with Mythfrontend when I want to be simultaneously watching a program on the TV while messing around with another frontend on the Windows laptop. This seems like more work than your option #2, though.

Author:	rsay [ Sun May 13, 2007 8:11 am ]
Post subject:
I may not understand the security implications of this fully but... I don't see much difference between allowing root login from the internet and allowing a user to log in with root privileges from the internet. Either way, root or god can delete every file on your drive. The point of not allowing root access from the internet as far as I know is: The hacker has to figure out a valid username and user password to get in and then figure out the root password, which adds an extra layer of security. In other words allowing root login from the internet gives your intruder a valid username and makes the intruder break only 1 password instead of 2. Using your firewall to restrict which IP addresses can access your SSH port from the net and using a secure password that you don't use elsewhere would provide you greater security than preventing root login from you office computer imho. Also, investigating other tools for remote access to your computer would be time well spent. Lastly, remember that you can use all of your local graphical tools with ssh -X if you don't like the command line.

Author:	umea [ Tue May 15, 2007 3:09 pm ]
Post subject:	please help
I often edit fils with WinSCP. Maybe it's wrong, but it seems to work. So how do I do this change so I can log in as root from WinSCP with Putty. I need to log in as root with WinSCP to be able to change files. I hope you understand my problem, I'm a sort of newbe.

Author:	Dale [ Tue May 15, 2007 5:05 pm ]
Post subject:
rsay wrote: I may not understand the security implications of this fully but... I don't see much difference between allowing root login from the internet and allowing a user to log in with root privileges from the internet. <snip> I am sorry, rsay that you don't understand the difference. There is a considerable difference between allowing a normal user to login (has to know his password) and then to su to root (knowing that password, also) than permitting _any_ login to root directly. Dale

Author:	slowtolearn [ Tue May 15, 2007 5:52 pm ]
Post subject:	Re: please help
umea wrote: I often edit fils with WinSCP. Maybe it's wrong, but it seems to work. So how do I do this change so I can log in as root from WinSCP with Putty. I need to log in as root with WinSCP to be able to change files. I hope you understand my problem, I'm a sort of newbe. As it is a matter of security, I wouldn't recommend this to a newbie. man sshd_config will give you the information you need, but be sure you understand the security implications. Recommended reading: http://www.puschitz.com/SecuringLinux.shtml (RedHat-based, but good general information. Pay particular attention to the SSH related and "Restricting System Access...") As for editing files, nano or pico are fairly user-friendly

Page 1 of 3	All times are UTC - 6 hours
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/

Author:	md10md [ Tue May 15, 2007 7:42 pm ]
Post subject:
If you're worried about leaving root open, just use private key encryption for the ssh connection which WinSCP supports. I've used this since R5D1 and it's worked great.