ciphermethod.com

BASH: createsftpaccount.sh

by on Mar.04, 2009, under Linux, Scripts


#!/bin/sh
#
# Create SFTP user account
#
# 20090304 jah - new
#

if [ "$1" == "" ]
then
  echo
  echo user login to create is blank
  echo use: $0 user
  echo
  exit
fi
 
/usr/sbin/useradd -g sftponly -d /sftpusers/$1 $1
mkdir -p /sftpusers/$1/data
chown root:root /sftpusers/$1
chmod 755 /sftpusers/$1
chown $1:sftponly /sftpusers/$1/data
chmod 700 /sftpusers/$1/data
passwd $1

Leave a Comment more...

UNIX Administrators

by on Feb.10, 2009, under Hacker

UNIX Administrators: Saving servers from nefarious end-users since 1969.

Leave a Comment more...

How-To: Create Encrypted Partition with Key File

by on Feb.05, 2009, under Hacker

Make sure kernel modules are present:
modprobe aes
modprobe dm-crypt
Create a 256 bit key file containing random data:
dd if=/dev/random of=/etc/key bs=1 count=256
chown root:root /etc/key
chmod 600 /etc/key
Initialize device:
cryptsetup –verbose -c aes-cbc-essiv:sha256 luksFormat /dev/sdb1 /etc/key
answer “YES” if you would like to overwrite data on /dev/sdb1 irrevocably
Create device mapping in /dev/mapper:
cryptsetup –key-file /etc/key luksOpen /dev/sdb1 sftpusers
Format partition:
mkfs.ext3 /dev/mapper/sftpusers
Add partition to /etc/fstab:
/dev/mapper/sftpusers /sftpusers ext3 defaults 0 0
Create/update /etc/crypttab with device info:
sftpusers /dev/sdb1 /etc/key

Reboot to verify that volume is mounted automatically. This configuration has been tested on Red Hat Enterprise Linux 5.

Done in order to satisfy a PCI compliance issue with VMware volume files. Files should be encrypted when not in use. Of course, this only ensures an encrypted virtual disk file at the ESX file system level. Credit card data inside the virtual drive still needs to be encrypted so that it is not accessible when the system is live.

Note: Exclude the key parts if you want an encrypted partion with prompt for password at boot.

Leave a Comment more...

How-To: Replace SSH & Enable Chrooted SFTP

by on Feb.03, 2009, under Linux

1. Download latest OPENSSH
2. Unpack tar file
3. CD to openssh source directory
3. vi version.h and remove VERSION_SSH information (if desired)
example: #define SSH_VERSION “OpenSSH”
4. run ./configure –with-tcp-wrappers
5. resolve any missing dependencies
6. login via a telnet session
7. disable ssh and remove existing SSH packages
8. run “make install” from openssh source directory
9. cp opensshd.init to /etc/init.d/sshd
10. add the following chkconfig information to top of ../init.d/sshd file:
# chkconfig: 2345 55 25
# description: OpenSSH server daemon
11. run chkconfig –add sshd

12 create sftponly group
groupadd sftponly

14. edit /usr/local/etc/sshd_config
update sftp subsystem to internal-sftp
# override default of no subsystems
#Subsystem sftp /usr/local/libexec/sftp-server
Subsystem sftp internal-sftp

add section to bottom of file:
Match group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

15. create sftp “jail” directory
mkdir /sftpusers
chown root:root /sftpusers
chmod 755 /sftpusers

16. create sftponly user accounts
useradd -g sftponly -d /sftpusers/user user
mkdir -p /sftpusers/user/data
chown root:root /sftpusers/user
chmod 755 /sftpusers/user
chown user:sftponly /sftpusers/user/data
chmod 700 /sftpusers/user/data
passwd user

user will now have complete control of the data directory, read access to /sftpusers/user, and be unable to cd past the root of /sftpusers/user.

Leave a Comment more...

How-To: Update SAProuter SNC Certificate

by on Jan.26, 2009, under Hacker

Certificate is good for 1 year. 

1. switch to the same account that the SAProuter server runs as
examples: su, sudo -s, etc.
2. stop the router service
3. backup the router folder
example: cp -rp saprouter saprouter.bak
4. change to the router home directory
5. rename certreq, srcert, local.pse, and cred_v2 to file.yyyymmdd
6. generate the certificate request (new certreq) using the following command:
sapgenpse get_pse –v –r certreq –p local.pse “CN=saprouter1, OU=0000350309, OU=SAProuter, O=SAP, C=DE”
do not enter a PIN (just press enter)
7. copy the contents of certreq to the clipboard
8. browse to http://www.service.sap.com/saprouter-sncadd
9. paste the contents of the clipboard into the form
10. step through form to generate new certificate information
11. copy and paste new certificate data into a file called srcert
11. import the certificate using the following command
./sapgenpse import_own_cert –c srcert –p local.pse
do not enter a PIN (press enter)
12. setup the login using the following command
sapgenpse seclogin –p local.pse
this will create a final file called cred_V2
13. check if the certificate has been loaded correctly by using the following command:
sapgenpse get_my_name –v –n Issuer
14. start the router service
15. delete backup router directory made in step 3 if it is no longer needed

CN and OU information will be different and based on the configuration for your company.


Leave a Comment more...


Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

But Wait, There's More!

A few highly recommended friends...

Old Stuff

All entries, chronologically...