Philipp's questions -server

Philipp

Asked: 2014-10-24 01:37:53 +0800 CST

Linux ssh: allow public-key authentication without giving user read rights to private key

14

Users logged in on my Linux server should be able to ssh to a specific remote machine with a default account. The authentication on the remote machine uses public key, so on the server the corresponding private key is available.

I don't want the server users to actually be able to read the private key. Basically, the fact that they have access to the server allows them the ssh right, and removing them from the server should also disallow connection to the remote machine.

How can I allow users to open an ssh connection without giving them read access to the private key?

My thoughts so far: obviously the ssh executable must be able to read the private key, so it must run under another user on the server which has those right. Once the ssh connection is established, I can then "forward" it to the user so that he can enter commands and interact with the remote machine.

Is this a good approach?
How should I implement the forward?
How can the user initiate the connection (that is, the execution of the ssh by the user which has read rights on the key)?
Is there a security loophole? - if the users can execute an ssh as another user, can they then do everything that other user could (including, reading the private key)?

Philipp

Asked: 2014-07-12 03:03:01 +0800 CST

Execution order of runlevel scripts

5

My runlevel 0 scripts in /etc/rc0.d, which should be executed when stopping are for example

K05foo -> ...
K10bar -> ...
K80baz -> ...
S10somemore -> ...
S90halt -> ...

Is it correct, that the excution order is as listed above, that is

First all Kills, in ascending priority order
Then all Starts, in ascending priority order
All this, independently of the runlevel to which we switch (S,0-6)
All scripts always get called (ie. there is no additional checks which would prevent a script to be called, for example whether in the previous runlevel that script was in fact started)

I'm confused because on my embedded system some of the scripts don't seem to get executed, and that page says

S20 link is started before a S91 and and K91 is kill before K20.

which contradicts my text above.

Philipp

Asked: 2014-06-17 04:32:51 +0800 CST

Make sshd listen to a specific interface

16

On my machine I'm using OpenVPN which use the tun0 interface. I want sshd to listen only on this interface.

I know, I can specify the IP address to listen to in

/etc/ssh/sshd_config

with a

ListenAddress 0.0.0.0

directive. But my IP address will change, so I cannot choose an IP here which is always valid. I know that I can start the daemon only when the VPN is up - that's not the problem.

How can I make sshd only listen on a specific interface (tun0)?

Philipp

Asked: 2013-11-27 05:27:16 +0800 CST

Apache server password file (htpasswd) encoding

2

I use .htaccess, basic authentication and a corresponding password file to secure my web-space. The hosting is Linux / Apache.

I want to support a user name with French accents (ie. not ASCII).

Are non-ASCII user names supported?
What encoding should the password file be in (UTF8, Latin-1, ...)?

Philipp

Asked: 2013-07-19 06:41:52 +0800 CST

Exchange 2003: new user name could not be resolved

0

I create a new user on our SBS 2003 with Exchange 2003. The setup went well, the new user can logon, also the exchange setup has worked - access to the mailbox over OWA is working.

Now I'm setting up the user's Win XP computer. Starting and setting up Outlook 2003 with the exchange server name and new username, I'am getting the error

The name could not be resolved. The name could not be matched to a name in the address list.

If I use the username of another, previously existing user, the name resolves correctly. This means that the communication from PC to Exchange server is working OK (DNS etc).

On the server, the new user appears correctly in Active Directory Users and Computers.

Do I need to "publish" the new user somehow?

What should I do, so that outlook finds the exchange mailbox?

Philipp

Asked: 2012-08-08 00:00:24 +0800 CST

"Allow logon locally" policy missing on Win XP

1

My active directory (SBS 2003) domain users cannot log on locally to a given client machine (XP SP3). Logon with the domain admin works.

I would like users to be able to logon locally to this computer, so I'm trying to find out where the restriction is set. For this I locally start rsop.msc and navigate to

Console Root / <ComputerName> / Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment

Here I would like to view the "Allow logon locally" policy, but it is missing.
I have many (all?) other policies, including "Deny logon locally" and "Allow logon through Terminal Services".

Why is "Allow logon locally" missing and how can I restore it?

Linux ssh: allow public-key authentication without giving user read rights to private key

Execution order of runlevel scripts

Make sshd listen to a specific interface

Apache server password file (htpasswd) encoding

Exchange 2003: new user name could not be resolved

"Allow logon locally" policy missing on Win XP

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?