If you have to change the password for a user, and you have a need to script this, for example if you have the password for multiple users, or on several different servers, then here's an easy way to change the password for a user, without having to type the password on the command line prompt:
# echo "user:password" | chpasswd
Topics: AIX, Monitoring, Red Hat / Linux, Security, System Admin↑
Sudosh
Sudosh is designed specifically to be used in conjunction with sudo or by itself as a login shell. Sudosh allows the execution of a root or user shell with logging. Every command the user types within the root shell is logged as well as the output.
This is different from "sudo -s" or "sudo /bin/sh", because when you use one of these instead of sudosh to start a new shell, then this new shell does not log commands typed in the new shell to syslog; only the fact that a new shell started is logged.
If this newly started shell supports commandline history, then you can still find the commands called in the shell in a file such as .sh_history, but if you use a shell such as csh that does not support command-line logging you are out of luck.
Sudosh fills this gap. No matter what shell you use, all of the command lines are logged to syslog (including vi keystrokes). In fact, sudosh uses the script command to log all key strokes and output.
Setting up sudosh is fairly easy. For a Linux system, first download the RPM of sudosh, for example from rpm.pbone.net. Then install it on your Linux server:
Then, go to the /etc file system and open up /etc/sudosh.conf. Here you can adjust the default shell that is started, and the location of the log files. Default, the log directory is /var/log/sudosh. Make sure this directory exists on your server, or change it to another existing directory in the sudosh.conf file. This command will set the correct authorizations on the log directory:# rpm -ihv sudosh-1.8.2-1.2.el4.rf.i386.rpm Preparing... ########################################### [100%] 1:sudosh ########################################### [100%]
Then, if you want to assign a user sudosh access, edit the /etc/sudoers file by running visudo, and add the following line:# sudosh -i [info]: chmod 0733 directory /var/log/sudosh
username ALL=PASSWD:/usr/bin/sudoshNow, the user can login, and run the following command to gain root access:
Now, as a sys admin, you can view the log files created in /var/log/sudosh, but it is much cooler to use the sudosh-replay command to replay (like a VCR) the actual session, as run by the user with the sudosh access.$ sudo sudosh Password: # whoami root
First, run sudosh-replay without any paramaters, to get a list of sessions that took place using sudosh:
Now, you can actually replay the session, by (for example) running:# sudosh-replay Date Duration From To ID ==== ======== ==== == == 09/16/2010 6s root root root-root-1284653707-GCw26NSq Usage: sudosh-replay ID [MULTIPLIER] [MAXWAIT] See 'sudosh-replay -h' for more help. Example: sudosh-replay root-root-1284653707-GCw26NSq 1 2
# sudosh-replay root-root-1284653707-GCw26NSq 1 5The first paramtere is the session-ID, the second parameter is the multiplier. Use a higher value for multiplier to speed up the replay, while "1" is the actual speed. And the third parameter is the max-wait. Where there might have been wait times in the actual session, this parameter restricts to wait for a maximum max-wait seconds, in the example above, 5 seconds.
For AIX, you can find the necessary RPM here. It is slightly different, because it installs in /opt/freeware/bin, and also the sudosh.conf is located in this directory. Both Linux and AIX require of course sudo to be installed, before you can install and use sudosh.
Topics: AIX, Security, System Admin↑
SUID
Always watch out for files with the SUID bit set; especially if these are files that are not on the AIX system by default. Before any vendor or application team installs additional software on the AIX system, it may be worth file to run the following command, to discover any files with the SUID bit set:
# find / \( -perm -2000 -o -perm -4000 \) -type f -lsSave the output of this command for later reference. Once the vendor or application team is done installing their application and/or database software, run the same command again, to discover if any newly created files exist, especially those that are owned by user root and have the SUID bit set. This allows other users to run the command as if they we're root.
The SUID bit can only be set on binary executables on AIX (starting with release 3.2.5 of AIX). Other UNIX operating systems, such as Fedora, may allow scripts to run with SUID bits set. On AIX it is allowed to set the SUID bit on a script, but AIX simply ignores it, and runs the script as the user who started the script, not using the account that owns the script, because this would be a huge security hole.
However, it is still very easy to write a C program that does the trick. The following example is a program called "sushi". The source code of the program, sushi.c, looks like this:
#include <stdio.h>
#include <time.h>
char *getlogin();
#define LOG_FILE "/tmp/sushilog"
main(argc, argv)
int argc;
char **argv;
{
char buf[1024], *p=buf;
int i, t;
FILE *log;
char msg[BUFSIZ], *ct, *name;
*p='\0';
for (i=1; i<argc; ++i)
{
strcpy(p, argv[i]);
p += strlen(argv[i]);
if (i < argc-1)
{
*p = ' ';
++p;
*p = '\0';
}
}
time(&t);
ct = ctime(&t);
name = getlogin();
setuid(0);
log = fopen(LOG_FILE, "a");
if (!log)
printf("Couldn't open log file!\n");
else
{
sprintf(msg, "SUSHI: %s %s %s\n", name, buf, ct);
fputs(msg, log);
fclose(log);
system(buf);
}
}
The makefile looks like this (and makes sure the SUID bit is set when running "make"):
################################################
# Make rules #
################################################
all: sushi
sushi: sushi.o
$(CC) -o $@ sushi.o
clean:
rm -f *.o sushi
install:
cp -p sushi /bin
chown root /bin/sushi
chmod a+rx /bin/sushi
chmod u+s /bin/sushi
################################################
# Source/object rules #
################################################
sushi.o: sushi.c
gcc -c $*.c
Now, if this file is compiled as user root, a program called /bin/sushi will exists; it will be owned by user root, and the SUID will be set:
The sushi program basically takes everything entered as a parameter on the command line, and runs it. So if the file is owned by user root, it will run the parameter as user root. For example, if you would want to open a Korn shell as a regular user, and get root access:# ls -als /bin/sushi 8 -rwsr-xr-x 1 root root 6215 Sep 9 09:21 /bin/sushi
This is something that you want to avoid. Even vendors are known to build backdoors like these into their software. The find command shown at the beginning of this article will help you discover commands as these. Note that the good thing of the sushi program shown above is, that it will write an entry into log file /tmp/sushilog each time someone uses the command.$ /bin/sushi ksh # whoami root
To avoid users being able to run commands with the SUID set, you may want to add the "nosuid" option in /etc/filesystems for each file system:
/exports/install:
dev = "/exports/install"
vfs = nfs
nodename = fileserver.company.com
mount = true
options = ro,bg,hard,intr,nodev,nosuid,sec=sys
account = false
Especially for (permanently) NFS mounted file systems, it is a VERY good idea to have this nosuid option set, avoiding someone to create a sushi-like program on a NFS server, and being able to run the program as a regular user on the NFS client system, to gain root access on the NFS client; or if you want to mount a NFS share on a client temporarily, enable the nosuid by running:
Check if it is set by running:# mount -o nosuid server:/filesystem /mountpoint
# mount | grep nfs server /filesystem /mountpoint nfs3 Sep 09 09:30 nosuid
The environment variable EXTENDED_HISTORY in AIX will timestamp your shell history. In ksh, you set it as follows:
# export EXTENDED_HISTORY=ONA good practice is to set this variable in /etc/environment.
To view your history:
NOTE: before setting this environment variable, the previous commands in your history will have a question mark in the timestamp field.# history 888 ? :: cd aix_auth/ 889 ? :: vi server 890 ? :: ldapsearch 891 ? :: fc -lt 892 ? :: fc -l
If you use the fc command, you will have to use the "-t" option to see the timestamp:
# fc -t
Topics: Security, System Admin↑
Listing sudo access
Sudo is an excellent way to provide root access to commands to other non-root users, without giving them too much access to the system.
A very simple command to show you what a specific user is allowed to do:
# su - [username] -c sudo -l
User [username] may run the following commands on this host:
(root) NOPASSWD: /usr/local/sbin/reset.ksh
(root) NOPASSWD: /usr/local/bin/mkpasswd
(root) NOPASSWD: !/usr/local/bin/mkpasswd root
Topics: AIX, Security, System Admin↑
Password-less SSH Login
On occasion I have the need to establish trust relationships between Unix boxes so that I can script file transfers. In short, here's how you leverage SSH to do that. Using the example of trying to connect from server "a" to get a file on "b" follow this example:
- Connect to "a".
- Type: ssh-keygen -t rsa
- The default directory for keyfiles will be ~/.ssh/ (if you do not want to be prompted, leave passphrase blank).
- Copy the contents of .ssh/id_rsa.pub (there should only be one line).
- Place this line on "b", in ~/.ssh/authorized_keys.
Topics: AIX, Security, System Admin↑
Portmir
A very nice command to use when you either want to show someone remotely how to do something on AIX, or to allow a non-root user to have root access, is portmir.
First of all, you need 2 users logged into the system, you and someone else. Ask the other person to run the tty command in his/her telnet session and to tell you the result. For example:
user$ ttyNext, start the portmirror in your own telnet session:
/dev/pts/1
root# portmir -t /dev/pts/1(Of course, fill in the correct number of your system; it won't be /dev/pts/1 all the time everywhere!)
Now every command on screen 1 is repeated on screen 2, and vice versa. You can both run commands on 1 screen.
You can stop it by running:
# portmir -oIf you're the root user and the other person temporarily requires root access to do something (and you can't solve it by giving the other user sudo access, hint, hint!), then you can su - to root in the portmir session, allowing the other person to have root access, while you can see what he/she is doing.
You may run into issues when you resize a screen, or if you use different types of terminals. Make sure you both have the same $TERM setting, i.e.: xterm. If you resize the screen, and the other doesn't, you may need to run the tset and/or the resize commands.
If you wish to be able to access an HMC from the command line, without the need of logging in, you can use ssh (secure shell).
Set-up a secure shell connection to your HMC:
# ssh userid@hostnameYou will have to enter a password to get into your HMC.
To allow your root user direct access to the HMC without the need of logging in, you'll have to update the authorized_keys2 file in the .ssh subdirectory of the home directory of your HMC user. There's a problem: a regular user only gets a restricted shell on an HMC and therefore is unable to edit the authorized_keys2 file in subdirectory .ssh. In an HMC version 3 it is possible to disable the restricted shell for users by editing file /opt/hsc/data/ssh/hmcsshrc. In an HMC version 4 and up you no longer get root access (except, you may get it, by contacting IBM), so you can no longer edit this file.
But there's another way to accomplish it.
Let's say your hmc user ID is hmcuser and you were able to logon to the HMC called hmcsystem using this ID and a password (like described above).
First, get a valid authorized_keys2 file, that allows root at your current host access to the HMC. Place this file in /tmp.
Then, use scp to copy the authorized_keys2 file to the HMC:
# scp /tmp/authorized_keys2 hmcuser@hmcsystem:~hmcuser/.ssh/authorized_keys2[Enter your hmcuser's password, when required]
Now, just test if it works:
# ssh hmcuser@hmcsystem dateYou should now be able to access the system without entering a password.
Topics: AIX, Security, System Admin↑
HOWTO: set up ssh keys
First, install OpenSSH and OpenSSL on two UNIX servers, serverA and serverB. This works best using DSA keys and SSH2 by default as far as I can tell. All the other HOWTOs I've seen seem to deal with RSA keys and SSH1, and the instructions not surprisingly fail to work with SSH2.
On each server type ssh someserver.example.com and make a connection with your regular password. This will create a .ssh dir in your home directory with the proper permissions. On your primary server where you want your secret keys to live (let's say serverA), type:
# ssh-keygen -t dsaThis will prompt you for a secret passphrase. If this is your primary identity key, use an empty passphrase (which is not secure, but the easiest to work with). If this works right, you will get two files called id_dsa and id_dsa.pub in your .ssh dir.
Copy the id_dsa.pub file to the other host's .ssh dir with the name authorized_keys2:
# scp ~/.ssh/id_dsa.pub serverB:.ssh/authorized_keys2Now serverB is ready to accept your ssh key.
For a test, type:
# ssh serverBThis should let you in without typing a password or passphrase. Hooray! You can ssh and scp all you want and not have to type any password or passphrase.
This describes how to get SSH access to a Linux system on a HP blade system, which requires you to work through the ILO:
First of all, you need to know the ILO IP address. Simply open up an SSH session to this IP address:
# ssh -l ilo-admin 10.250.21.37The next thing you need to do is type "VSP", hit ENTER and login to the server:
ilo-admin@10.250.21.37's password:
User:ilo-admin logged-in to 10.250.21.37
iLO 2 Advanced 1.60 at 16:05:58 Jul 11 2008
Server Name:
Server Power: On
</>hpiLO->
hpiLO-> VSPTo make this magic happen, we need to spawn a getty on /dev/ttyS1. You might see somthing like this in /etc/inittab:
Starting virtual serial port
Press 'ESC (' to return to the CLI Session
</>hpiLO-> Virtual Serial Port active: IO=0x02F8 INT=3
[ENTER]
</>hpiLO-> Virtual Serial Port active: IO=0x02F8 INT=3
Red Hat Enterprise Linux ES release 4 (Nahant Update 8)
Kernel 2.6.9-89.ELsmp on an i686
hostname login:
mo1::off:/sbin/mgetty -x 0 -D -s38400 -a /dev/ttyS1The mgetty will not work. That expects a modem. Comment it out (it is off anyways). Add this line:
ilo:2345:respawn:/sbin/agetty ttyS1 115200 vt100Then allows root to login on that tty:
# echo "ttyS1" >> /etc/securettyThen reread the /etc/inittab and spawn any missing processes, like the new getty:
# kill -HUP 1Now you should be able to ssh to the servers ILO IP address, login as ilo-admin, run VSP and get a login prompt.
