netbsd-help: Re: Advice on setting up a shell server

Subject: Re: Advice on setting up a shell server
To: Jeremy C. Reed <reed@reedmedia.net>
From: Stefan 'Kaishakunin' Schumacher <stefan@net-tex.de>
List: netbsd-help
Date: 02/03/2007 11:50:37
--8S1fMsFYqgBC+BN/
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Also sprach Jeremy C. Reed (reed@reedmedia.net)
> On Tue, 16 Jan 2007, Isaac Wagner-Muns wrote:
>=20
> > I'm trying to set up a small shell account server for students at my=20
> > school, and it seems to be quite a vast undertaking, mostly because of=
=20
> > the security issues brought up by letting semi-anonymous people access=
=20
> > my machine. How do other shell servers (like sdf.lonestar.org) implemen=
t=20
> > an automatic user-adding system? Is having publicly runnable shell=20
> > scripts insecure? Any suggestions on where i should start would be=20
> > greatly appreciated
>=20
> Get rid of any world-writable "tmp" directories. (Make users use their ow=
n=20
> homes. If you find any programs that don't allow custom temp directory in=
=20
> base install, let us know.)
>=20
> Use file system quotas.
>=20
> Set strict resource limits (login.conf and ulimit/limit).
>=20
> (sorry if these ideas were already provided)

Use Systrace to systrace the login shell and restrict any access to
evil[tm] binaries, such as ftp/telnet. You can also use systrace to
forbid the use of binaries in the home dirs of students or to restrict=20
eg. SSH to your private network.

> As for automatic user adding system, I don't know. Maybe make some shell=
=20
> scripts and allow user to login via ssh using a generic account that runs=
=20
> that script to allow user to add an account and set password.

I used a small hack to bulkadd some users at a server:

for i in `cat userlist`; do j=3D$i;=20
	k=3D`shuffle -0 -p 10 a b c [...] x y z A B C [...] X Y Z 0 1 [...] 8 9`=
=20
	useradd -g mygroup -d /home/$j -m -p `pwhash -m  $k` $j;
	echo "User: '$j': password: $k" | tee -a userlist
done=20


shuffle generates a 10 letter password from randomly picking 10
elements of the list (substitute ... to letters) and saves it to $k
useradd adds the user and creates his homedir. pwhash is used to add
the password hash generated from $k. The resulut is printed to STDOUT
and tee'ed to ./userlist. The : in the userlist file make it easier to
use awk on it eg. to generate letters with LaTeX or nroff or simple
=2Etxt files.=20

You could also use pkgsrc/security/apg to generate pronouncable
passwords as defined in FIPS PUB 181, but than you will have a much
smaller list of possible passwords -- which makes it easier to crack
/etc/master.passwd.

Additionally I would use PAM to use cracklib to test new passwords and
force students to change their automatically generated first password,=20
but as of now I was not able to install the required PAM-modules.


HTH,
Stefan
--=20
Pedites pugnas decernent    http://www.jaegerseiten.de    Horrido!


http://www.net-tex.de                                 http://www.cryptomanc=
er.de

--8S1fMsFYqgBC+BN/
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (NetBSD)

iD8DBQFFxGj9EfTEHrP7rjMRAiw6AJ9AgZa484AdT0o/WCXSQfHgfqm23QCdHMFN
kSK000zoNuD9cJPsNmOs4eA=
=prcP
-----END PGP SIGNATURE-----

--8S1fMsFYqgBC+BN/--