Wednesday, July 3, 2013

allowing non-root SSH

I keep logging in as root, and this is obviously not ideal, so I want to allow a user to login

Here are some steps I found here


Add a local user

We have been logging in as root, so let’s add a local user. Since I am going to be mounting my existing zpools, I do not want to go back to all of my client machines and change the user IDs. To avoid any ID mismatch I am going to create my user with the same ID as it previously was:
root@megatron:~# useradd -u 1000 -g 10 -m -d /export/home/jarret -s /bin/bash jarret
64 blocks
If you just want the default UIDs, you can run the command below. The -m and -d options create the home directory.
root@megatron:~# useradd -m -d /export/home/username username
Let’s set a password for the new user:
root@megatron:~# passwd fred
New Password:
Re-enter new Password:
passwd: password successfully changed for fred
Now I want to add this user to the sudoers file. Type visudo to safely edit the /etc/sudoers file. Find the line below and remove the ‘#’ mark to enable it:
## Uncomment to allow members of group sudo to execute any command
%sudo ALL=(ALL) ALL
This will allow any user in the sudo group to run sudo. Let’s add the sudo group:
root@megatron:~# groupadd sudo
Now we can add our newly created user to the sudo group:
root@megatron:~# usermod -G sudo fred
Now let’s verify that the user is in the sudo group:
root@megatron:~# id fred
uid=1000(fred) gid=10(staff) groups=10(staff),100(sudo)
Ok, so that looks good. Let’s switch to the jarret user and run sudo:
root@megatron:~# su - fred
OmniOS 5.11     omnios-dda4bb3  2012.06.14
jarret@megatron:~$ sudo -l
Password:
User jarret may run the following commands on this host:
    (ALL) ALL

Also, following these instructions, although they are for Synology NAS, but they go a little further.
6. Execute the following from the command line as root:
cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
vi /etc/ssh/sshd_config
Change the line “#Protocol 2,1″ to “Protocol 2″ and the line “#PermitRootLogin yes” to “PermitRootLogin no”, then quit saving changes (notice we removed the “#” from both lines).
You may also want to adjust the “LoginGraceTime” and “MaxAuthTries” settings, just be sure to remove the leading “#” from those lines.
7. Restart SSHD. If you are using the beta firmware you can disable then enable the service using the web-based management interface. If not, you may be able to use the disable SSH patch, then the enable SSH patch which may restart your NAS device (I have not tested this), or you can simply execute the following from the command line as root:
svcadm restart ssh
I have not personally tested the above command either, and it may end your SSH session if that is where you execute it from. Alternatively, you could temporarily enable Telnet, login as root to execute the command above, then log out and disable Telnet.
8. Test the changes. If you use “ssh -1 user@host” when connecting to your NAS device, you should get an error that reads something like “Protocol major versions differ: 1 vs. 2″. If you try to SSH in as root, it should prompt you for the password, but give you an error like “Permission denied, please try again.” even if you supply the correct password. Finally, you should be able to login via SSH as your regular user (i.e. frank).
*Please note, that if you change your regular user’s info (like password, etc.) using the web-based management interface, the information in /etc/passwd will revert back to the defaults, which will no longer let you login via SSH using that user. If this happens, don’t panic, you can always SSH in as admin (which should have the same password as root, but not the same privileges). Unfortunately, only root can execute the “su” command, so to allow your regular user to use SSH again you will have to temporarily enable Telnet, login as root, repeat step #4 above, logout and disable Telnet.
Telnet is also the only way to regain root command line access, which is required to edit “/etc/ssh/sshd_config”, should you want to restore root SSH logins at some point. Alternatively, one could install sudo to execute commands as root, but that is beyond the scope of this post.


Now just to remember to login as user fred, and to use sudo or pfexec


No comments:

Post a Comment