[ProgClub programming] Network administration notes
althalus87 at gmail.com
Thu Apr 10 10:35:44 EST 2014
You should also probably use the AllowGroups option in sshd_config:
# Only people in the admin group can SSH into this machine
On Tue, Apr 8, 2014 at 3:38 PM, John Elliot V <jj5 at progclub.org> wrote:
> I realised yesterday that our admin server (charity) was wide open for a
> When I create users on charity I disable the user password unless the
> user is an administrator so that ostensibly ordinary members can't login
> to the admin server. Only administrators should be able to log on to the
> admin server. There are two user machines (honesty and hope) available
> for all members.
> Until yesterday charity:/home was the home directory on charity and
> exported to honesty:/home and hope:/home via NFS. So a malicious user
> could create an SSH key in their home directory via honesty or hope and
> then SSH to charity where their key would be found!
> So I've had to separate the /home directories for honesty/hope and
> charity. To do this I moved charity:/home to charity:/var/home and
> copied admin home directories into charity:/home. Admins beware: your
> home directory on charity is now different to your home directory on
> honesty and hope.
> Also, recently there was a problem with the NFS system. The problem was
> that the NFS clients (honesty and hope) were not automatically mounting
> their NSF share for the /home directories from charity.
> I wasn't able to figure out how to fix the problem in /etc/fstab so I
> did the mounting with a script in /etc/rc.local as described here:
> and here:
> John Elliot V
> ProgClub programming
> programming at progclub.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the programming