Softpanorama

Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
May the source be with you, but remember the KISS principle ;-)
Bigger doesn't imply better. Bigger often is a sign of obesity, of lost control, of overcomplexity, of cancerous cells

Solaris Security Tips

News

Solaris

Recommended Books Recommended Links Shell Tips and Tricks AWK one liners

DNS tricks and tips

Resetting root password How to  reject remote logging in syslogd Core files creation blocking in Solaris using hostbyname to block unwanted visitors New options in solaris 10 ftpd New options in Solaris 10 TELNETD Enabling TCP Wrappers in Solaris 10
     

 

  Humor Etc

One simple way to make Solaris a little bit more secure is to create /root directory with permissions 700 like in Red Hat. In this case anything you put into this directory is visible only to root and even wrong permissions are not visible to outsiders.

NEWS CONTENTS

Old News ;-)

Sun Solaris 10 - How to Let Root Login Directly to the System via SSH - c03647591 - HP Business Support Center

Information

Environment :

Description :

How to let root login, directly to the system, via ssh?

uname -a SunOS castor1 5.10 Generic_147440-01 sun4u sparc SUNW,Sun-Fire-V240 cat /etc/release Oracle Solaris 10 8/11 s10s_u10wos_17b SPARC Copyright (c) 1983, 2011, Oracle and/or its affiliates. All rights reserved. Assembled 23 August 2011 host castor1 is a sparc sunfire v240. OS installed, solaris 10 update 10.

Trying to login via ssh results in a access denied.

login as: root Using keyboard-interactive authentication. Password: Access denied Dec 5 23:48:13 castor1 sshd[2302]: Failed keyboard-interactive for root from 16.56.232.242 port 49887 ssh2

On the console of the host, the message "failed keyboard-interactive for root from 16.56.232.242 port 49887 ssh2 is logged ."

Details
  1. Checking PermitRootLogin value in file /etc/ssh/sshd_config .

    cat /etc/ssh/sshd_config # Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.

    ident "@(#)sshd_config 1.10 10/10/19 SMI"

    Configuration file for sshd(1m)

    Protocol versions supported

    The sshd shipped in this release of Solaris has support for major versions 1 and 2. It is recommended due to security weaknesses in the v1 protocol that sites run only v2 if possible. Support for v1 is provided to help sites with existing ssh v1 clients/servers to transition.

    Support for v1 may not be available in a future release of Solaris.

    To enable support for v1 an RSA1 key must be created with ssh-keygen(1).

    RSA and DSA keys for protocol v2 are created by /etc/init.d/sshd if they do not already exist, RSA1 keys for protocol v1 are not automatically created.

    Uncomment ONLY ONE of the following Protocol statements.

    Only v2 (recommended )

    Protocol 2

    Both v1 and v2 (not recommended)

    Protocol 2,1

    Only v1 (not recommended)

    Protocol 1

    Listen port (the IANA registered port number for ssh is 22)

    Port 22

    The default listen address is all interfaces, this may need to be changed if user wishes to restrict the interfaces sshd listens on for a multi homed host.

    Multiple ListenAddress entries are allowed.

    IPv4 only

    ListenAddress 0.0.0.0

    IPv4 & IPv6

    ListenAddress ::

    Port forwarding

    AllowTcpForwarding no

    If port forwarding is enabled, specify if the server can bind to INADDR_ANY.

    This allows the local port forwarding to work when connections are received from any remote host.

    GatewayPorts no

    X11 tunneling options

    X11Forwarding yes

    X11DisplayOffset 10

    X11UseLocalhost yes

    The maximum number of concurrent unauthenticated connections to sshd.

    start:rate:full see sshd(1) for more information.

    The default is 10 unauthenticated clients.

    MaxStartups 10:30:60

    Banner to be printed before authentication starts.

    Banner /etc/issue

    Should sshd print the /etc/motd file and check for mail.

    On Solaris it is assumed that the login shell will do these (eg /etc/profile).

    PrintMotd no

    KeepAlive specifies whether keep alive messages are sent to the client.

    See sshd(1) for detailed description of what this means.

    Note that the client may also be sending keep alive messages to the server.

    KeepAlive yes

    Syslog facility and level

    SyslogFacility auth

    LogLevel info

    Authentication configuration

    Host private key files

    Must be on a local disk and readable only by the root user (root:sys 600).

    HostKey /etc/ssh/ssh_host_rsa_key

    HostKey /etc/ssh/ssh_host_dsa_key

    Length of the server key

    Default 768, Minimum 512

    ServerKeyBits 768

    sshd regenerates the key every KeyRegenerationInterval seconds.

    The key is never stored anywhere except the memory of sshd.

    The default is 1 hour (3600 seconds).

    KeyRegenerationInterval 3600

    Ensure secure permissions on users .ssh directory.

    StrictModes yes

    Length of time in seconds before a client that hasn't completed

    authentication is disconnected.

    Default is 600 seconds. 0 means no time limit.

    LoginGraceTime 600

    Maximum number of retries for authentication

    Default is 6. Default (if unset) for MaxAuthTriesLog is MaxAuthTries / 2

    MaxAuthTries 6

    MaxAuthTriesLog 3

    Are logins to accounts with empty passwords allowed.

    If PermitEmptyPasswords is no, pass PAM_DISALLOW_NULL_AUTHTOK to pam_authenticate(3PAM).

    PermitEmptyPasswords no

    To disable tunneled clear text passwords, change PasswordAuthentication to no.

    PasswordAuthentication yes

    Use PAM via keyboard interactive method for authentication.

    Depending on the setup of pam.conf(4) this may allow tunneled clear text passwords even when PasswordAuthentication is set to no. This is dependent on what the individual modules request and is out of the control of sshd or the protocol.

    PAMAuthenticationViaKBDInt yes

    Are root logins permitted using sshd.

    Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user maybe denied access by a PAM module regardless of this setting.

    Valid options are yes, without-password, no.

    PermitRootLogin no

    sftp subsystem

    Subsystem sftp internal-sftp

    SSH protocol v1 specific options

    The following options only apply to the v1 protocol and provide some form of backwards compatibility with the very weak security of /usr/bin/rsh. Their use is not recommended and the functionality will be removed when support for v1 protocol is removed.

    Should sshd use .rhosts and .shosts for password less authentication.

    IgnoreRhosts yes

    RhostsAuthentication no

    Rhosts RSA Authentication

    For this to work user will also need host keys in /etc/ssh/ssh_known_hosts.

    If the user on the client side is not root then this won't work on Solaris since /usr/bin/ssh is not installed setuid.

    RhostsRSAAuthentication no

    Uncomment if user does not trust ~/.ssh/known_hosts for RhostsRSAAuthentication.

    #IgnoreUserKnownHosts yes

    Is pure RSA authentication allowed.

    Default is yes

    RSAAuthentication yes

    PermitRootLogin variable is on the default value of no.

  2. Change PermitRootLogin to yes, to allow root remote logins via ssh.

    vi /etc/ssh/sshd_config

    [change file from]

    PermitRootLogin no

    [to]

    PermitRootLogin yes

  3. After change

    cat /etc/ssh/sshd_config|grep PermitRootLogin

    PermitRootLogin yes

    PermitRootLogin value is indeed successfull changed to yes.

  4. Restart sshd daemon and check if sshd is in online state, after restart.

    svcadm restart svc:/network/ssh:default

    svcs|grep ssh

    online 23:47:45 svc:/network/ssh:default

  5. Try to remote login root, via ssh

    login as: root

    Using keyboard-interactive authentication.

    Password:

    Last login: Wed Dec 5 23:49:30 2012 from vm44.xp.emea.hp

    Oracle Corporation SunOS 5.10 Generic Patch January 2005

    root can remote login via ssh.

Everything Solaris Filesystem Tips and Tricks

My Solaris page

Some scripts I have written for Solaris that you may find interesting:

Solaris SUMMARY sendmail with TCPWRAPPERs

Solaris SUMMARY How to prevent Root login via Xterm

Security - Home Page -- Protecting From Within

Logs enabling Identify and enable system and network logging mechanisms

Solaris Security Tips - searchSolaris.com

Solaris Tips Hall of Fame - searchSolaris.com

New Options in Solaris 10 FTPD

docs.sun.com man pages section 1M System Administration Commands

New options in Solaris 10 Telnetd

Enabling TCP Wrappers in Solaris 10

Glenn Brunette's Security Weblog Tip of the Month: Enabling TCP Wrappers in Solaris 10

Before answering this question, let's first provide a little background. TCP Wrappers has been around for many, many years. It is used to restrict access to TCP services based on host name, IP address, network address, etc. For more detailed on what TCP Wrappers is and how you can use it, see tcpd(1M). TCP Wrappers was integrated into Solaris starting in Solaris 9 where both Solaris Secure Shell and inetd-based (streams, nowait) services were wrapped. Bonus points are awarded to anyone who knows why UDP services are not wrapped by default.

TCP Wrappers support in Secure Shell was always enabled since Secure Shell always called the TCP Wrapper function host_access(3) to determine if a connection attempt should proceed. If TCP Wrappers was not configured on that system, access, by default, would be granted. Otherwise, the rules as defined in the hosts.allow and hosts.deny files would apply. For more information on these files, see hosts_access(4). Note that this and all of the TCP Wrappers manual pages a stored under /usr/sfw/man in Solaris 10. To view this manual page, you can use the following command:

$ man -M /usr/sfw/man -s 4 hosts_access

inetd-based services use TCP Wrappers in a different way. In Solaris 9, to enable TCP Wrappers for inetd-based services, you must edit the /etc/default/inetd file and set the ENABLE_TCPWRAPPERSparameter to YES. By default, TCP Wrappers was not enabled for inetd.

In Solaris 10, two new services were wrapped: sendmail and rpcbind. sendmail works in a way similar to Secure Shell. It always calls the host_access function and therefore TCP Wrappers support is always enabled. Nothing else needs to be done to enable TCP Wrappers support for that service. On the other hand, TCP Wrappers support for rpcbind must be enabled manually using the new Service Management Framework ("SMF"). Similarly, inetd was modified to use a SMF property to control whether TCP Wrappers is enabled for inetd-based services.

Let's look at how to enable TCP Wrappers for inetd and rpcbind...

To enable TCP Wrappers support for inetd-based services, you can simply use the following commands:

# inetadm -M tcp_wrappers=true
# svcadm refresh inetd

This will enable TCP Wrappers for inetd-based (streams, nowait) services like telnet, rlogin, and ftp (for example):

# inetadm -l telnet | grep tcp_wrappers
default  tcp_wrappers=TRUE

You can see that this setting has taken effect for inetd by running the following command:

# svcprop -p defaults inetd
defaults/tcp_wrappers boolean true

Note that you can also use the svccfg(1M) command to enable TCP Wrappers for inetd-based services.

# svccfg -s inetd setprop defaults/tcp_wrappers=true
# svcadm refresh inetd

Whether you use inetadm(1M) or svccfg is really a matter of preference. Note that you can also use inetadm or svccfg to enable TCP Wrappers on a per-service basis. For example, let's say that we wanted to enable TCP Wrappers for telnet but not for ftp. By default, both the global and per-service settings for TCP Wrappers are disabled:

# inetadm -p | grep tcp_wrappers
tcp_wrappers=FALSE

# inetadm -l telnet | grep tcp_wrappers
default  tcp_wrappers=FALSE

# inetadm -l ftp | grep tcp_wrappers
default  tcp_wrappers=FALSE

To enable TCP Wrappers for telnet, use the following command:

# inetadm -m telnet tcp_wrappers=TRUE

Let's check out settings again:

# inetadm -p | grep tcp_wrappers
tcp_wrappers=FALSE

# inetadm -l telnet | grep tcp_wrappers
         tcp_wrappers=TRUE

# inetadm -l ftp | grep tcp_wrappers
default  tcp_wrappers=FALSE

As you can see, TCP Wrappers has been enabled for telnet but none of the other inetd-based services. Pretty cool, eh?

You can enable TCP Wrappers support for rpcbind by running the following command:

# svccfg -s rpc/bind setprop config/enable_tcpwrappers=true
# svcadm refresh rpc/bind

This change can be verified by running:

# svcprop -p config/enable_tcpwrappers rpc/bind
true

That is all that there is to it! Quick, easy and painless! As always, let me know what you think!

Take care!

Recommended Links

Google matched content

Softpanorama Recommended

Top articles

Sites

Tips and Tricks at OpenSolaris.org

Solaris tips Sheets

Solaris Tips and Tricks

Modular Debugger (mdb) cheatsheet (PDF)

Sys Admin Cool Commands

Sun documentation by product

Solaris Admininstror's Quick Reference (PDF)

Solaris Tips and tricks knowledge base (outdated)

Solaris Hints and Tips

Solaris - Tips & Tricks collection

My Solaris page

Some scripts I have written for Solaris that you may find interesting:


Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: September 12, 2017