|
|
Sponsored Content
Top Forums
UNIX for Advanced & Expert Users
possible to lock accounts (passwd -l) and still allow acct to ssh to other server?
Post 302253430 by vbe on Friday 31st of October 2008 02:52:21 PM
|
|
10 More Discussions You Might Find Interesting
1. UNIX for Advanced & Expert Users
Hello All,
I am a student sys admin and not a professional. I'd like to know how can I migrate the user accounts in the current server to a new server( to be installed) non-destructively. Also in what way the old server can be used after installation of the new server. I'd sincerely... (2 Replies)
Discussion started by: maybemedic
2 Replies
2. UNIX for Dummies Questions & Answers
Hi Admin,
I need a help regarding to lock the user for 5 days..
for example i want to lock user account from Monday 1.00AM to Friday 1.00PM..
is there any method to do from Cron or passwd command.
Regards,
Prem :cool: (2 Replies)
Discussion started by: Prem
2 Replies
3. UNIX for Advanced & Expert Users
I'd just like to know what you use for user account management on your DMZ servers?
Do you use the same authentication realm as internally?
Do you use a different authentication realm, perhaps only for the DMZ?
Do you use local accounts? (2 Replies)
Discussion started by: humbletech99
2 Replies
4. Solaris
I have turned off PermitEmptyPasswords in sshd_config, but a user with empty passwd (deleted by passwd -d user) can still login without password, why? it is big security concern, linux doesn't have the issue.
$ uname -a
SunOS 5.10 Generic_118855-14 i86pc i386 i86pc
... (8 Replies)
Discussion started by: honglus
8 Replies
5. Solaris
Hi,
I need to Change passwd for bulk servers using SSH script.
I have one server, from which i can reach all the servers without password via SSH.
There is some expect script, from which i can achieve it.
Can any one help me out here.
Thanks in advance.
Vicky (1 Reply)
Discussion started by: vickyingle5
1 Replies
6. Cybersecurity
Hi all,
I am having some issues with openssh vers OpenSSH_4.6p1 on SCO unixware 7.1.4
when a user accesses the system via ssh and the password is incorrect and more attempts have been made that the lock out limit I find that although there are messages in the syslog the account does not lock... (0 Replies)
Discussion started by: chlawren
0 Replies
7. Red Hat
Hi friends,
I must to give ssh connection to own customer.
So I want to lock ssh user on own home directory. It is not necessery to reach other folders. I know that ftp user can lock on own folder but I don't know how to lock ssh user.
I am waitting your kindly helps :D
---------- Post... (10 Replies)
Discussion started by: getrue
10 Replies
8. UNIX for Dummies Questions & Answers
I am trying to obtain all user accounts and their respective home directories.
/etc/passwd contains the required information, but I want to filter it to only show the uid,username and home directory path.
I am working on a Solaris 11 machine.
I made a little headway so far, but I got stuck... (7 Replies)
Discussion started by: Hijanoqu
7 Replies
9. UNIX and Linux Applications
i am new to scripting ,i need bash script in jump server to pull the /etc/passwd of all servers and the ssh keys are installed (3 Replies)
Discussion started by: profiles
3 Replies
10. Shell Programming and Scripting
Hi All, Wishes!!
I need some help to prepare a script to copy the public key from admin host to multiple client hosts to make them login without password.
Detailed :
I have an admin host "admin1" and i generated sshkeygen, now i have id_rsa.pub and i have around 50 client hosts. i... (4 Replies)
Discussion started by: kumar85shiv
4 Replies
LEARN ABOUT MOJAVE
aa_change_profile
AA_CHANGE_PROFILE(2) AppArmor AA_CHANGE_PROFILE(2) NAME
aa_change_profile, aa_change_onexec - change a tasks profile SYNOPSIS
#include <sys/apparmor.h> int aa_change_profile(const char *profile); int aa_change_onexec(const char *profile); Link with -lapparmor when compiling. DESCRIPTION
An AppArmor profile applies to an executable program; if a portion of the program needs different access permissions than other portions, the program can "change profile" to a different profile. To change into a new profile, it can use the aa_change_profile() function to do so. It passes in a pointer to the profile to transition to. Transitioning to another profile via aa_change_profile() is permanent and the process is not permitted to transition back to the original profile. Confined programs wanting to use aa_change_profile() need to have rules permitting changing to the named profile. See apparmor.d(8) for details. If a program wants to return out of the current profile to the original profile, it should use aa_change_hat(2) instead. Open file descriptors are not remediated after a call to aa_change_profile() so the calling program must close(2) open file descriptors to ensure they are not available after calling aa_change_profile(). As aa_change_profile() is typically used just before execve(2), you may want to use open(2) or fcntl(2) with close-on-exec. The aa_change_onexec() function is like the aa_change_profile() function except it specifies that the profile transition should take place on the next exec instead of immediately. The delayed profile change takes precedence over any exec transition rules within the confining profile. Delaying the profile boundary has a couple of advantages, it removes the need for stub transition profiles and the exec boundary is a natural security layer where potentially sensitive memory is unmapped. RETURN VALUE
On success zero is returned. On error, -1 is returned, and errno(3) is set appropriately. ERRORS
EINVAL The apparmor kernel module is not loaded or the communication via the /proc/*/attr/current file did not conform to protocol. ENOMEM Insufficient kernel memory was available. EPERM The calling application is not confined by apparmor. EACCES The task does not have sufficient permissions to change its domain. EXAMPLE
The following example shows a simple, if contrived, use of aa_change_profile(); a typical use of aa_change_profile() will aa_change_profile() just before an execve(2) so that the new child process is permanently confined. #include <stdlib.h> #include <string.h> #include <sys/apparmor.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <stdio.h> #include <unistd.h> int main(int argc, char * argv[]) { int fd; char buf[10]; char *execve_args[4]; printf("Before aa_change_profile(): "); if ((fd=open("/etc/passwd", O_RDONLY)) < 0) { perror("Failure opening /etc/passwd"); return 1; } /* Confirm for ourselves that we can really read /etc/passwd */ memset(&buf, 0, 10); if (read(fd, &buf, 10) == -1) { perror("Failure reading /etc/passwd"); return 1; } buf[9] = '�'; printf("/etc/passwd: %s ", buf); close(fd); printf("After aa_change_profile(): "); /* change profile to the "i_cant_be_trusted_anymore" profile, which * should not have read access to /etc/passwd. */ if (aa_change_profile("i_cant_be_trusted_anymore") < 0) { perror("Failure changing profile -- aborting"); _exit(1); } /* confirm that we cannot read /etc/passwd */ execve_args[0] = "/usr/bin/head"; execve_args[1] = "-1"; execve_args[2] = "/etc/passwd"; execve_args[3] = NULL; execve("/usr/bin/head", execve_args, NULL); perror("execve"); _exit(1); } This code example requires a profile similar to the following to be loaded with apparmor_parser(8): profile i_cant_be_trusted_anymore { /etc/ld.so.cache mr, /lib/ld-*.so* mrix, /lib/libc*.so* mr, /usr/bin/head ix, } The output when run: $ /tmp/change_p Before aa_change_profile(): /etc/passwd: root:x:0: After aa_change_profile(): /usr/bin/head: cannot open `/etc/passwd' for reading: Permission denied $ If /tmp/change_p is to be confined as well, then the following profile can be used (in addition to the one for 'i_cant_be_trusted_anymore', above): # Confine change_p to be able to read /etc/passwd and aa_change_profile() # to the 'i_cant_be_trusted_anymore' profile. /tmp/change_p { /etc/ld.so.cache mr, /lib/ld-*.so* mrix, /lib/libc*.so* mr, /etc/passwd r, # Needed for aa_change_profile() /usr/lib/libapparmor*.so* mr, /proc/[0-9]*/attr/current w, change_profile -> i_cant_be_trusted_anymore, } BUGS
None known. If you find any, please report them at <http://https://bugs.launchpad.net/apparmor/+filebug>. Note that using aa_change_profile(2) without execve(2) provides no memory barriers between different areas of a program; if address space separation is required, then separate processes should be used. SEE ALSO
apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_hat(2) and <http://wiki.apparmor.net>. AppArmor 2.7.103 2012-06-28 AA_CHANGE_PROFILE(2)