[CentOS] Using "root" Type User Via Forwarding-SSH-Tunnel Inside Non-Root SSH Connection

Thu Apr 4 08:50:12 UTC 2013
Bry8 Star <bry8star at yahoo.com>

Hi,
QUESTION:
what implications are there when using the "root" or a root type of
account via a port-forwarding ssh-tunnel inside (or on top of)
another non-root type of user's ssh-tunnel ?

Is such double layer of encryption brings more security or system
still vulnerable same as single layer of SSH encryption ?

DETAILS:

In CentOS (6.3 & 6.4) server side i have done these:
(1) Created a user named "administrator". Then by using visudo
command, i allowed "administrator" to have higher level of access &
permission, similar/close to the "root" user, (not exactly same though).
http://wiki.centos.org/TipsAndTricks/BecomingRoot
(Basically this "administrator" user has maintenance related
software running privilege).

(2) Created a user named "non-root", a standard/normal user.

(3) In /etc/ssh/sshd_config file i have modified the default
configurations into this:
# File: /etc/ssh/sshd_config
port NNN10
protocol 2
SyslogFacility AUTHPRIV
AllowUsers non-root root at 127.0.0.1 administrator at 127.0.0.1
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding no
Banner /etc/issue.net
Subsystem sftp /usr/libexec/openssh/sftp-server
# End of File: /etc/ssh/sshd_config

Above config allows only "non-root" user to connect with CentOS
server from internet. And "administrator" or "root" can must/only
connect using local ip address 127.0.0.1.

In /etc/issue file and in /etc/issue.net file i have placed such
text info:
***********************************
     NOTICE / WARNING TO USERS
 * This computer system is private
   property of its owner, Bry8Star.
 * This message is shown from
   hostname.sld.tld
 * It is for AUTHORIZED use only.
   Any unauthorized or improper
   use of this system will result
   in CIVIL and CRIMINAL PENALTIES
   ...
 * ...
 * Your connection IP ADDRESS,
   PORT, and TIME info etc are
   recorded by this computer.
***********************************

In /etc/profile file, i have placed these below 13 lines just above
the "unset i" line, at bottom side:
if [ -n "$SSH_CLIENT" ]
then
	set $SSH_CLIENT
	echo "Your current connection coming from IP Address $1 using port
$2, to this computer."
else
	if [ -n "$SSH_CONNECTION" ]
	then
		set $SSH_CONNECTION
		echo "Your current connection coming from IP Address $1 using port
$2, to this computer."
	else
		echo "Your current connection's IP Address & port could not be
shown for now."
	fi
fi

In /etc/profile.local file, i have placed these below 13 lines at
bottom side:

if [ -n "$SSH_CLIENT" ]
then
	set $SSH_CLIENT
	echo "You have connected from IP Address $1 using port $2"
else
	if [ -n "$SSH_CONNECTION" ]
	then
		set $SSH_CONNECTION
		echo "You have connected from IP Address $1 using port $2"
	else
		echo "User's IP Address could not be shown"
	fi
fi

Above codes allow me to see what IP:port is currently being used.
And after login opensshd by default shows last/previous connection's
IP-address or reverse-domain. This helps to see instantly which IP
is being used right now or who is attempting to login in simple way.
Ofcourse log can show more detailed info.

And in client side (user side), i'm using PuTTY or PuTTY based or
other SSH client software, with such configurations:

SSH-client software has 3 connection profiles.

The "ssh-client-01" connection ssh-profile is configured for regular
user "non-root", and connects to ip.address.numbers:port
(hostname.sld.tld:NNN10) (sld = 2nd level domain, tld = top level
domain). This connection profile is also configured to create one
encrypted port-forwarding tunnel through the SSH-tunnel: where,
local port NNN11, is port-forwarded, to the (local-)port NNN10
inside CentOS server (hostname.sld.tld).

The "ssh-client-02" connection ssh-profile is configured for user
"administrator", and connects to local ip address 127.0.0.1 on port
NNN11 (127.0.0.1:NNN11). This connection profile itself has no
port-forwarding tunnels. It uses the forwarding-tunnel of
"ssh-client-01" to create SSH-tunnel, toward the ssh-server port
NNN10 of CentOS server.

The "ssh-client-03" connection ssh-profile is configured with user
"root", and connects to local ip address 127.0.0.1 on port NNN11
(127.0.0.1:NNN11). This connection profile itself has no
port-forwarding tunnels. It uses the forwarding-tunnel of
"ssh-client-01" to create SSH-tunnel, toward the ssh-server port
NNN10 of CentOS server.

I first connect with CentOS server using "ssh-client-01", then i
connect again with CentOS server using the "ssh-client-02".

In this way "ssh-client-02" (for "administrator") goes through the
encryption layer of "ssh-client-01" (for "non-root").

If i need to use "root" level access/privilege, i do these:

sudo one-command options

For multiple commands i do these:

su -
a-command options
another-command options
exit

To switch into another user account (like "GUIuser1", "non-root2")
without disconnecting, i do:

su GUIuser1
su non-root2

The "ssh-client-03" ssh-profile i use for exceptional purpose, when
i absolutely must have to use the "root" account directly, only then.

QUESTION:
How can i configure opensshd related settings, so that, it shows
current ip-address & port used by the current user who is
trying/attempting to login ? BEFORE user types in the password.

I have placed a text "This is \o | Now it is \t \d | Connection is
using \l" in /etc/issue file and also in /etc/issue.net file, but it
does not work, just appears as verbatim, (escape sequenced special
variables do not get
translated/replaced by special values).

I want to show the user who is attempting to login, his/her
IP-address, port, time, etc to him/her, every time before typing
password.

QUESTION:
what is/are better practice(s) (to secure CentOS server related to
SSH) ?

QUESTION/Possible-SOLUTION:
Should i remove the "root at 127.0.0.1" from "AllowUsers" and add
"PermitRootLogin no" line in /etc/sshd_config file ?

Thanks in advance,
-- Bright Star.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20130404/c8796395/attachment-0004.sig>