"James" <jzheng22@gmail.comwrites:

I posted the question on comp.unix.admin, then I realized there is
a unix security group, so I repost here. Thanks.

Hi all,

I am writing shell scripts to enforce some security standards.
of the rules is "Users cannot get access to shell or invoke any other
programs without first logging on to the system"

This looks simple, but there's a lot to it. one hand, it should be
automatic you can't do anything on unix without first logging in.
However, poorly secured webservers, for instance, can allow someone to
run commands without logging in certain circumstances. So the larger
goal of keeping all running network apps up to date with secure
versions is very important, as is having any custom code audited for
security.

Does this mean
echo "mkdir /tmp/testdir" | ssh userid@anothermachine
should be prohibited?

No. All that does is makes a directory on the local machine and
pipes the output to a shell on anothermachine. Depending on
anothermachine's sshd conf file settings, a password should be
prompted for. If not, then public key auth has been enabled and
configured. Better to look for public key files on the file system
with find and to audit sshd_config files for allowing such things if
you need to enforce that policy without exception.

How to enforce such kind of security rule? Is there ssh configuration
I should take a look at?

Yes. Typically in /etc/ssh/sshd_config

RSAAuthentication
PubkeyAuthentication settings will be of interest.

Also, you'll want to look for .rhosts files around and whether
rcommands work There's a lot of configuration stuff to check
actually.

12 Jun 2006 15:03:17 -0500, Todd H. <comphelp@toddh.netwrote:
"James" <jzheng22@gmail.comwrites:

>I am writing shell scripts to enforce some security standards.
>of the rules is "Users cannot get access to shell or invoke any other
>programs without first logging on to the system"

>Does this mean
>echo "mkdir /tmp/testdir" | ssh userid@anothermachine
>should be prohibited?
>
No. All that does is makes a directory on the local machine and
pipes the output to a shell on anothermachine.

Huh? my machines it does what it should do, i.e. the same thing as

ssh userid@anothermachine mkdir /tmp/testdir

but with warnings indicating that I'm doing something stupid.

Depending on
anothermachine's sshd conf file settings, a password should be
prompted for. If not, then public key auth has been enabled and
configured. Better to look for public key files on the file system
with find and to audit sshd_config files for allowing such things if
you need to enforce that policy without exception.

I'm not sure what you believe "that policy" refers to, but I don't think
"logging on to the system" should be interpreted literally as "seeing a
logon: prompt, typing my username and password". This isn't the 1970s.

/Jorgen

PS. The original poster might also want to think about cron, at and
procmail, and how they fit into these security standards.

18 Jun 2006 09:30:23 GMT, Unruh <unruh-spam@physics.ubc.cawrote:
"NYWalker" <mr.shanjing@gmail.comwrites:
--
Does this mean
echo "mkdir /tmp/testdir" | ssh userid@anothermachine
should be prohibited?

How to enforce such kind of security rule? Is there ssh configuration
I should take a look at?

If you demand password logons then the user wil have to log on before
running commands. If the user is using passwordless logon, then the
exchange of rsa/dsa keys IS login. Ie in any case the user will not be able
to run commands before logging in tothe system.
Under ssh, the user cannot ever run commands before logging onto the
system.

JUst disallow password less logins.But why you would want to do that is
beyond me.

again: the people who wrote the rules will have to clarify what they
really mean. Guessing is clearly not a good idea when you implement someone
elses security policies.

And once again: another question is if the users are allowed to create cron
jobs, have procmail rules that execute stuff and so on. If they do, they can
"access the system" without "logging on", in some sense.

/Jorgen