≡ Menu

Linux login control

Finally, someone spends time to work with a Linux server and OS X authentication issue:

OSX has what I would call an undocumented feature of the operating system- the portable home directory. Basically, it keeps a user's home directory sync'd up between a network share and the local pc. If you are not on the network you work on the local home directory. Whenever you login on the network, the mirror agent running on the local pc synchronizes the two directories.

Full Stack: Portable Home Directory over NFS on OSX authenticated via OpenLDAP on Debian Linux

For last couple of years I’ve used my own shell script based solution to list and open ssh connections. Now I found a nice applet called SSHMenu:

The SSHMenu is a panel applet that makes all your regular SSH connections a single mouse click away. Each menu option will open an SSH session in a new terminal window. You can arrange groups of hosts with separator bars or sub-menus. You can even open all the connections on a submenu (in separate windows or tabs) with one click.

Overall I'm quite happy with SSHMenu, a must have tool for all admin, IMHO.

Features

a] SSHMenu allows you to add key so that you can run rest of the all session without a problem and password.
b] Every connection you make using using SSHMenu will use the terminal profile you've selected, to set the color scheme, terminal font and other settings.
c] You can open all connection at a time and much more...

SSH Menu ~ Save and Open SSH Connections on a single mouse click
(SSHMenu in action - click to enlarge)

Download SSHMenu

=> Visit official site here ( hat tip to carthik )

With this tip you will be able to work from home using VPN and that too from Linux / FreeBSD system for the proprietary Microsoft Point-to-Point vpn server.

Different organization uses different VPN connection options such as SSL, PPTP or IPSEC. When you need to access corporate network and its services, you need to login using VPN.

The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. It works on Data link layer (#2 layer) on TCP/IP model. Personally I prefer IPSEC. PPTP Client is a Linux, FreeBSD, NetBSD and OpenBSD client for the proprietary Microsoft Point-to-Point Tunneling Protocol, PPTP. Allows connection to a PPTP based Virtual Private Network (VPN) as used by employers and some cable and ADSL internet service providers.

But many originations use PPTP because it is easy to use and works with Windows, Mac OS X, Linux/*BSD and other handled devices.

Compatibility note

I’ve tested instructions and pptp on:
[a] CentOS / RHEL / Fedora Core Linux running 2.6.15+ kernel
[b] Ubuntu and Debian Linux running 2.6.15+ kernel
[c] FreeBSD etc

I've found that pptp client is 100% compatible with the following servers/products:
[a] Microsoft Windows VPN Server
[b] Linux PPTP Server
[c] Cisco PIX etc

How do I install PPTP client under Linux?

By default most distro installs PPTP client called PPTP-linux which is the client for the proprietary Microsoft Point-to-Point Tunneling. Use apt-get or yum command to install pptp client:
$ sudo apt-get install pptp-linux network-manager-pptp
Fedora Core user can install client using rpm command:
# rpm -Uvh http://pptpclient.sourceforge.net/yum/stable/fc6/pptp-release-current.noarch.rpm
# yum --enablerepo=pptp-stable install pptpconfig

[a] network-manager-pptp or pptpconfig - A gui network management framework (PPTP plugin) for network-admin tool (frontend)
[b] pptp-linux - Point-to-Point Tunneling Protocol (PPTP) command line client

How do I configure client using command line (cli)?

You need to edit / create following configuration files

  • /etc/ppp/chap-secrets - Add your login name / password for authentication using CHAP. Pppd stores secrets for use in authentication in secrets files.
  • /etc/ppp/peers/myvpn-name - A dialup connection authenticated with PAP / CHAP configuration file. You need to add your dialup server name and other information in this file.

Sample configuration data

  1. PPTP server name: pptp.vpn.nixcraft.com
  2. VPN User Name : vivek
  3. VPN Password: VpnPassword
  4. Connection name: delhi-idc-01

Open /etc/ppp/chap-secrets file:
# vi /etc/ppp/chap-secrets
OR
$ sudo vi /etc/ppp/chap-secrets
Append line as follows:
vivek PPTP VpnPassword *

Save and close the file.

Create a connection file called /etc/ppp/peers/delhi-idc-01 (replace delhi-idc-01 with your connection name such as office or vpn):
# vi /etc/ppp/peers/delhi-idc-01
Append configuration data as follows:
pty "pptp pptp.vpn.nixcraft.com --nolaunchpppd"
name vivek
remotename PPTP
require-mppe-128
file /etc/ppp/options.pptp
ipparam delhi-idc-01

Close and save the file. Where,

  • pty "pptp pptp.vpn.nixcraft.com --nolaunchpppd": Specifies that the command script is to be used to communicate rather than a specific terminal device. Pppd will allocate itself a pseudo-tty master/slave pair and use the slave as its terminal device. The script will be run in a child process with the pseudo-tty master as its standard input and output. An explicit device name may not be given if this option is used. (Note: if the record option is used in conjunction with the pty option, the child process will have pipes on its standard input and output.). In this case we are using pptp client to establishes the client side of a Virtual Private Network (VPN) using the Point-to-Point Tunneling Protocol (PPTP). pptp.vpn.nixcraft.com is my host name (or IP address) for the PPTP server. --nolaunchpppd option means do not launch pppd but use stdin as the network connection. Use this flag when including pptp as a pppd connection process using the pty option.
  • name vivek: VPN username
  • remotename PPTP: Set the assumed name of the remote system for authentication purposes to name. If you don't know name ask to network administrator
  • require-mppe-128: Require the use of MPPE, with 128-bit encryption. You must encrypt traffic using encryption.
  • file /etc/ppp/options.pptp: Read and apply all pppd options from options.pptp file. Options used by PPP when a connection is made by a PPTP client.
  • ipparam delhi-idc-01 : Provides an extra parameter to the ip-up, ip-pre-up and ip-down scripts (optional).

Route traffic via ppp0

To route traffic via PPP0 interface add following route command to /etc/ppp/ip-up.d/route-traffic
# vi /etc/ppp/ip-up.d/route-traffic
Append following sample code (modify NET an IFACE as per your requirments):
#!/bin/bash
NET="10.0.0.0/8" # set me
IFACE="ppp0" # set me
#IFACE=$1
route add -net ${NET} dev ${IFACE}

Save and close the file:
# chmod +x /etc/ppp/ip-up.d/route-traffic

Task: connect to PPTP server

Now you need to dial out to your office VPN server. This is the most common use of pppd. This can be done with a command such as:
# pppd call delhi-idc-01
If everything is went correctly you should be online and ppp0 should be up. Remote server will assign IP address and other routing information. Here is the message from my /var/log/messages file:
# tail -f /var/log/messages
Output:

Jun 11 23:38:00 vivek-desktop pppd[30088]: pppd 2.4.4 started by root, uid 0
Jun 11 23:38:00 vivek-desktop pppd[30088]: Using interface ppp0
Jun 11 23:38:00 vivek-desktop pppd[30088]: Connect: ppp0 <--> /dev/pts/4
Jun 11 23:38:03 vivek-desktop pppd[30088]: CHAP authentication succeeded
Jun 11 23:38:03 vivek-desktop kernel: [37415.524398] PPP MPPE Compression module registered
Jun 11 23:38:03 vivek-desktop pppd[30088]: MPPE 128-bit stateless compression enabled
Jun 11 23:38:05 vivek-desktop pppd[30088]: local  IP address 10.5.3.44
Jun 11 23:38:05 vivek-desktop pppd[30088]: remote IP address 10.0.5.18

Task: Disconnect PPTP server vpn connection

Simply kill pppd service, enter:
# killall pppd
OR
# kill {pppd-PID}

How do I configure PPTP client using GUI tools?

If you are using Debian / Ubuntu, just click on Network configuration Icon on taskbar > VPN Connection > Configure VPN > Add:

Click forward :
VPN PPTP Config # 1
(click to enlarge)

Select PPTP tunnel > Forward:
VPN PPTP Config # 2
(click to enlarge)
Enter Connection Name, VPN Server / Gateway hostname/IP address > Click on diffrent tabs to configure other parameters > Forward >
VPN PPTP Config # 3
(click to enlarge)

Save and close the dialog box. To connect via VPN click on Network Icon > Select VPN Connection > Connection name (Mumbai VSNL IDC) > Enter your VPN username and password and click on Ok
VPN PPTP Config # 4
If you are using Fedora core Linux, run pptpconfig as root and just follow on screen instructions:
# pptconfig &

Troubleshooting hints

If the connection fails, you might need to gather more information and try out following troubleshooting tips.

Q. I'm authenticated successfully but cannot route traffic..

A. Use route command to add route manually:
# ip route add {NETWORK} dev ppp0
# ip route add 10.0.0.0/8 dev ppp0

Or use route command:
# route add -net 10.0.0.0 netmask 255.0.0.0 dev ppp0

Q. I'm authenticated successfully, I can ping to remote gateway but cannot access host by name...

A. Setup correct DNS server names in /etc/resolv.conf file:
# cat /etc/resolv.conf
Output:
search nixcraft.com
nameserver 10.0.6.1
nameserver 10.0.6.2
nameserver 208.67.222.222

Q. How do I open my local network (laptop, desktop and other system) to talk with any computer behind VPN server via this local Linux ppp0 interface (i.e. act this computer as router)...?

A. Append following two rules in your existing iptables rules to turn on routing (adjust IP address range as per your setup):
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables -I INPUT -s 10.0.0.0/8 -i ppp0 -j ACCEPT
iptables --append FORWARD --in-interface eth0 -j ACCEPT

Q. Point-to-Point Encryption is not working and I'm not able to connect to remote PPTP server...

A. Make sure you are using 2.6.15 or above kernel. If you are using old kernel version upgrade to latest version and compile support for ppp_mppe kernel module. If you are using latest version, load driver using modprobe:
# modprobe ppp_mppe
# pppd call myoffice

Note: You can always get more information by reading pptp diagnosis howto here.

A note to readers

As I said earlier I prefer to use open source solution such as OpenVPN or IPsec as they are more secure. The PPTP is not secure enough for some information security policies. Next time I will write about OpenVPN and IPsec.

Further readings

  • Please read pppd, pptp, iptables man pages.
  • Official pptp client home page

Recently I received an interesting question from one my regular reader:

What is the basic and important difference between password and passphrase when implementing SSH with DSA/RAS public key authentication? Which one is recommended for daily usage?

The main and basic difference is that you can use multi string phrase including spaces and tabs using a passphrase under ssh. Normal /etc/shadow password is a single string password and many application will breaks with spaces and tabs while using authentication. So your account password must be a single word/string.

For example my account password can be iF33%gNCyzDy
I could create a passphrase: Th1s 1s A t3sT and s3cur3 pa$$phra$3

The advantage is simple you can use spaces and tabs to create a more secure and hard to break authentication method. This makes dictionary based attack quite difficult.

Further readings:

Passwords vs. Pass Phrases
The Great Debates: Pass Phrases vs. Passwords. Part 1 of 3

If anyone aware of more differences please add in comments section :)


I've already written about howto log in, on your local system, and make passwordless ssh connections using ssh-keygen command. However, you cannot just follow these instructions over and over again, as you will overwrite the previous keys.

It is also possible to upload multiple public keys to your remote server, allowing one or more users to log in without a password from different computers.

Step # 1: Generate first ssh key

Type the following command to generate your first public and private key on a local workstation. Next provide the required input or accept the defaults. Please do not change the filename and directory location.
workstation#1 $ ssh-keygen -t rsa
Finally, copy your public key to your remote server using scp
workstation#1 $ scp ~/.ssh/id_rsa.pub user@remote.server.com:.ssh/authorized_keys

Step # 2: Generate next/multiple ssh key

a) Login to 2nd workstation

b) Download original the authorized_keys file from remote server using scp:
workstation#2 $ scp user@remote.server.com:.ssh/authorized_keys ~/.ssh

c) Now create the new pub/private key:
workstation#2 $ ssh-keygen -t rsa

d) Now you have new public key. APPEND this key to the downloaded authorized_keys file using cat command:
workstation#2 $ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

e) Finally upload authorized_keys to remote server again:
workstation#2 $ scp ~/.ssh/authorized_keys user@remote.server.com:.ssh/

You can repeat step #2 for each user or workstations for remote server.

Step #3: Test your setup

Now try to login from Workstation #1, #2 and so on to remote server. You should not be asked for a password:
workstation#1 $ ssh user@remote.server.com
workstation#2 $ ssh user@remote.server.com

Updated for accuracy.

How do you prevent non-root users from login into the system? How do you assign user ftp and mail access only? How do you make or set shell to nologin to politely refuse a login?

Fear not, it is easy to deny access to login shell :D . If the file /etc/nologin exists, login will allow access only to root. Other users will be shown the contents of this file and their logins will be refused. However if you need to give ftp or mail access add user shell /sbin/nologin.

Redhat (RHEL)/Fedora core/Cent OS specific example

For example allow user tom to use ftp and mail but no shell access. Use usermod command to setup new shell:
# usermod -s /sbin/nologin tom

You can also edit the /etc/passwd file and change the shell
From
/bin/bash
To
/sbin/nologin

Following program will not affected by this shell (/sbin/nologin):

  • FTP clients
  • mail clients
  • sudo
  • many setuid programs

Please note that it prevents access to the shell and logs the attempt. All of the following programs are prevented from accessing the user account:

  • telnet/login
  • gdm/kdm/xdm (graphical login)
  • su
  • ssh/scp/sftp etc

Debian / Ubuntu Linux specific example

Use /bin/false shell under Debian / Ubuntu Linux(do nothing, unsuccessfully login). To make shell nologin under Debian / Ubuntu for tom user, use :
$ sudo usermod -s /bin/false tom
OR
# sudo usermod -s /bin/false tom

Caution: Do not set root user shell to /sbin/nologin or /bin/false.

Restrict the use of su command

su is used to become another user during a login session. Invoked without a username, su defaults to becoming the super user. The user will be prompted for a password, if appropriate. Invalid passwords will produce an error message. All attempts, both valid and invalid, are logged to detect abuses of the system.

By default almost all distro allows to use su command. However you can restrict the use of su command for security reasons.

Both UNIX and Linux have a group called wheel. If user is member of this group she can use su command. We can add user to this group.

For example add existing user rocky to wheel group
# usermod -G wheel rocky

Now open /etc/pam.d/su PAM config file:
# vi /etc/pam.d/su
Append line as follows:
auth required /lib/security/pam_wheel.so use_uid
OR
auth required pam_wheel.so use_uid

Save and close the file.

Because of above setting only members of the administrative group wheel can use the su command. However I still recommend sudo over su for better control, security and ease of use. This is also default behavior on FreeBSD.