[clug] Remote Authentication for Linux

steve jenkin sjenkin at canb.auug.org.au
Wed Sep 1 04:37:15 UTC 2021


Is this a “What if” planning problem or a “Holy Crap!” Operational Problem?

Specifically, are you trying to get an admin shell (ie. ’super user’) access to a machine that’s in trouble with a full /var?

==============

<mode type=“pendant"> There’s no such thing as ‘a remote login’ on Unix-based systems. </mode>

There are only tty-based sessions, spawning a command (typically a shell with ‘-l’ flag) to a particular UID’s - not even usernames, though multiple usernames can have the same UID.

Any application that's allowed to accept incoming network connections can spawn any executable with it’s own UID.
If the application has the “setuid” bit set and is owned by UID 0, it can spawn a process with any UID - exactly the same as login / getty used to create user shells.

In BSD, this was how “inetd” was used as a ‘remote access’ equivalent to “init”, with control file (/etc/inetd.conf) modelled on /etc/inittab and /etc/init.d + /etc/rc.d.
The original Unix "inetd" was derived from “init”, which rate-limited login attempts - from serial ports. Getty would be “respawned” as fast as the system would allow.
There were simple mis-configurations of ports & cables that could create this issue and the system would hit 100% CPU respawning getty.

Early “inetd” had this hard-coded respawn limit, which proved a problem with high-performance machines receiving lots of connection requests.

==============

Simple answer, assuming you’re dealing with an operational problem"

	If you’ve got still SSHD got running, I presume you’ve got a series of non-admin (UID > 1000) usernames already setup.
	Some of those usernames must have the ability to become super-user, ie. entires in “sudo” (/etc/sudoers) or equivalent.

	You need to find one of those special accounts that has "private key” authentication setup.
	Ideally your existing username is also in /etc/sudoers or is allowed to execute ‘/bin/su’ and you know the super-user password

If you haven’t preplanned remote shell access, your only option is to get to the console to login, or power cycle the system.


==============

I don’t know how SSHD copes with not being able to log logins (to /var/log/auth.log and/or /var/log/secure. others? unsure)
	See /etc/sshd_config for locations

With normal partition mapping, a full /var will stop logging in /var/log

Something to note:
	In BSD-based UFS filesystem, writes/creat's by _non-admin_ users would return a Filesystem Full error when filesys was 95% full.
	Super-user (maybe other admin users) were the only processes that could completely fill a filesystem (to 100%)

	I’m not sure of the detail of non-priviliged processes using “syslog” facility to write via syslogd (runs privileged) to typically write in /var/log

	Web-servers normally are run with minimum privileges (even the ’nobody’ UID) for ’security’ reasons.
	A side effect was the web-server would stop logging to /var/log directly, but if it’s writing via “syslog”, that could fill /var.

==============
	

> On 1 Sep 2021, at 12:22, jm via linux <linux at lists.samba.org> wrote:
> 
> Does anyone know of a list of (or can suggest) an authentication method
> that will work with debian? The requirements is that it can do the log
> in procedure for someone trying to log into the machine remotely, most
> likely via ssh, who may never have logged in when the clock may be
> highly skewed and the /var partition is full.
> 
> 
> Jeff.
> 
> 
> 
> -- 
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux

--
Steve Jenkin, IT Systems and Design 
0412 786 915 (+61 412 786 915)
PO Box 38, Kippax ACT 2615, AUSTRALIA

mailto:sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin




More information about the linux mailing list