Linux security - SUDO

mail

sudo vs ssh root

According to this article, there are several solutions when it comes to get elevated privileges (i.e. root) on a GNU/linux box. The most popular one is to use sudo, but this _may_ not be the safest solution, an alternative being using SSH with some localhost-specific settings.

SSHd settings

Common settings

# disable password logins
PasswordAuthentication no
ChallengeResponseAuthentication no	# OpenSSH <8.7 (Debian)
KbdInteractiveAuthentication no	# OpenSSH 8.7+
PubkeyAuthentication yes

Let root log in with a key :

from everywhere :
PermitRootLogin prohibit-password
from localhost only :
PermitRootLogin no

Match Address 127.0.0.1
  PermitRootLogin prohibit-password
As a good practice, Match directives should be found at the bottom of the file.

Other SSHd settings worth considering in this context

AllowUsers root
only root can log in
LoginGraceTime 30s
SSHd will close the connection if you fail to log in within 30s
MaxAuthTries 4
up to 4 attempts to log in, starting to log halfway
PerSourceMaxStartups 1
MaxStartups 4096
limit the number of concurrent unauthenticated connections to SSHd
TODO:
 * check if it's possible to specify both :
	from="12.34.56.78" command="cmd" ssh-ed25519 key
 * some docs mention "PermitRootLogin forced-commands-only" as a prerequisite...
			
mail

How to open a shell as an other user whose login shell is disabled ?

Situation

Solution

Alternate solution

  1. become root :
    sudo -i
  2. as root, become stuart :
    su -s /bin/bash - stuart
mail

How to login as root via sudo only ?

On modern (decent !) Linux distributions, you can not log in as root anymore. Instead, users can be allowed to get elevated privileges with sudo. This is a good thing : To do so :
  1. Open a terminal as root (in the CTRL-ALT-Fn screens) just in case something goes wrong in the process. Leave it as is, and continue the procedure in another terminal.
  2. Become a sudoer. This implies adding
    bob	ALL=(root)	/bin/su
    to /etc/sudoers.d/bob.
  3. Try it, as bob :
    sudo su -
    After typing your password, you should have become root.
  4. Now, as root, disable the root password : passwd -l root
  5. Check this with : grep root /etc/shadow
    root:!$6$fRTcws15$d7doaLc.WNnUK/4l4mHTnA......
    Read more about ! and * in the password field of /etc/shadow
  6. Try opening a shell as root, it should fail now.
  7. Enjoy
mail

How to become a sudoer ?

The bare minimum of sudoing : let Bob become a sudoer, while using local authentication :

This is potentially granting too many rights !

As root :
  1. Make Bob a member of the sudo group : adduser bob sudo
  2. touch /etc/sudoers.d/bob
    At this step, Bob can already run sudo commands since :
    • he belongs to the sudo group
    • and thanks to this directive in /etc/sudoers :
      # Allow members of group sudo to execute any command
      %sudo	ALL=(ALL:ALL)	ALL
      The %whatever syntax refers to the whatever group (source).
  3. Edit it with your favorite text editor :
    bob	ALL=(root)	NOPASSWD:/usr/sbin/service
    • There must be a LF after the last directive, otherwise trying to use these new permissions will fail :
      >>> /etc/sudoers.d/bob: syntax error near line 1 <<<
      sudo: parse error in /etc/sudoers.d/bob near line 1
      sudo: no valid sudoers sources found, quitting
      sudo: unable to initialize policy plugin
    • Both [space] and [TAB] indentation are supported
  4. Save, exit, then chmod 440 /etc/sudoers.d/bob

Notes about sudo passwords (source) :

When launching a sudo command :
  1. sudo prompts for the user password
  2. IF the password is correct AND IF the command is allowed :
    • sudo saves the elevated permission into a dedicated cache
    • looks like the default cache duration has been decreased from 15 minutes to 5 minutes (set to 5 minutes in sudo 1.8.31, not checked previous versions)
    OTHERWISE (wrong password OR forbidden command) :
    • nothing is cached
  3. The next time a sudo command is launched, the permission is checked from the cache (if available)
To purge the cache : sudo -k

Using LDAP authentication

Contents of /etc/sudoers :
bob ALL=(ALL) ALL
becomes (literally) :
sudoUser sudoHost=(sudoRunAs) sudoCommand sudoOption
in the LDAP rules. (details)