Re: More on passwordless logins

From: Brian Hatch (secure-shell_at_ifokr.org)
Date: 06/27/03

  • Next message: Greg A. Woods: "Re: Securing ssh tunnels." 
    Date: Fri, 27 Jun 2003 11:47:18 -0700
To: Ifan Jones <ifan@draig.co.uk>

    > My only concern is having created a user specifically for
    > the VPN (called vpn) I have had to change the vpn user's
    > primary group ID to 0 (root) or it would still ask for a
    > password when connecting via SSH. Should I be concerned
    > with the security of this?

    Yes, you can definitely have non-root users establish a
    PPP over SSH VPN. You'll need to set up 'sudo' on both
    ends, and grant the VPN user the ability to run pppd with
    the correct options. (You should be as detailed in your
    sudoers file as possible to prevent this account from doing
    anything they shouldn't.)

    It's a bit tricky to get all the quotes and backslashes
    in the right spot since you'll have the sudo command plus
    the pppd command on the SSH command line, so you'll probably
    want to use a shell script on both ends. Also, I'd highly
    recomend using the 'command=' option in authorized_keys to
    force this script and not allow this user to do anything but
    attempt to create a VPN. And, if you want to have even more
    security, have native PPP authentication (pap/chap) occur as
    well.

    For a detailed set of scripts to do this, get Building Linux VPNs.
    (Sorry for the plug - I wish I could have the scripts online, but
    they're password protected.) 

    --
Brian Hatch                  You need to shave.  If I
   Systems and                met you on the street, I'd
   Security Engineer          cross to avoid you.
http://www.ifokr.org/bri/    --Bree
Every message PGP signed

  • Next message: Greg A. Woods: "Re: Securing ssh tunnels."

    Relevant Pages

    • Re: pppd pty equivilent in FBSD
      ... I let pppd manage retries & setting routes. ... >I wouldn't personally recommend vpn over ssh for anyone either, ... I'm the sole bsd user at my company, and the ppp over ssh ... >Actual bash script I call: ...
      (freebsd-net)
    • Re: FC6 VPN
      ... Subject: FC6 VPN ... > configuration of OpenSSH when I saw this post on VPN. ... > could add OpenVPN as an extra level of security, ... Well, normally, you don't -- the debate was about using SSH over a VPN. ...
      (Fedora)
    • Re: IPSec VPN into XP Pro
      ... This page has more information concerning the XP VPN... ... As far as SSH is concerned, I just think its a whole lot easier for home users like myself to setup ... a few consumer grade routers and the problems encountered getting a PPTP tunnel through them... ... > tunnel and set up secure redirections via command line. ...
      (microsoft.public.windowsxp.work_remotely)
    • Re: pppd pty equivilent in FBSD
      ... I wouldn't personally recommend vpn over ssh for anyone either, ... Actual bash script I call: ... # pppd starts up ppp connection, ...
      (freebsd-net)
    • Re: Executing PHP files on remote web server
      ... For security you can set up secure tunnel with ssh or vpn. ...
      (comp.lang.php)