Help with securing ssh

Installing and Using OpenWrt Network and Wireless Configuration
12

i followed your https://openwrt.org/docs/guide-user/security/secure.access
opkg install shadow-useradd

so what should i do now, install the other packages?
shadow-userdel, shadow-usermod

13

That's not actually my guide, I just made some edits there.

Anyway, in general it is recommended to use shadow utils to manage the passwd/group files.

14

ok, i just installed the other two shadow-userdel, shadow-usermod

is this correct?
asdffdsa6131:x:1000:1000:asdffdsa6131:/home/asdffdsa6131:/bin/ash

1 Like
15

Yep, looks fine now.

16 
root@OpenWrt:~# chown -R $(id -u asdffsa6131):$(id -g asdffsa6131) ~asdffsa6131
id: unknown user asdffsa6131
id: unknown user asdffsa6131
chown: unknown group
17 
userdel asdffsa6131
userdel asdffdsa6131
sed -i -e "/^asdffsa6131/d" /etc/passwd /etc/group /etc/shadow
sed -i -e "/^asdffdsa6131/d" /etc/passwd /etc/group /etc/shadow
opkg update
opkg install shadow-useradd shadow-userdel shadow-usermod \
    shadow-groupadd shadow-groupdel shadow-groupmod sudo
groupadd -r -g 10 wheel
groupadd asdffdsa6131
useradd -m -g asdffdsa6131 -G wheel -s /bin/ash asdffdsa6131
touch /etc/environment
cat << EOF > /etc/sudoers.d/00-custom
%wheel ALL=(ALL) ALL
EOF
18

is this the correct output for that tee

root@OpenWrt:~# tee /etc/sudoers.d/00-custom << EOF
> %wheel ALL=(ALL) ALL
> EOF
%wheel ALL=(ALL) ALL

root@OpenWrt:~# cat /etc/sudoers.d/00-custom
%wheel ALL=(ALL) ALL

now this works without error
chown -R $(id -u asdffdsa6131):$(id -g asdffdsa6131) ~asdffdsa6131

1 Like
19

It appears there was a letter missing in the user name.
I've updated the code, so you can copy-paste it again.

20

yeah, i noticed that, oh boy...

so i can just paste that entire text into the ssh command prompt?
no need to copy and paste each line, one at a time?

1 Like
21

I'm not sure about Windows terminal emulators, but pasting blocks of code like the one above typically works on Linux.

22

in the mean time, i manually edited /etc/password and corrected the typo, perhaps that is the reason for the error with userdel

is this correct, do you need to verify any files or settings?

root@OpenWrt:~# userdel asdffsa6131
userdel: user 'asdffsa6131' does not exist
root@OpenWrt:~# userdel asdffdsa6131
root@OpenWrt:~# sed -i -e "/^asdffsa6131/d" /etc/passwd /etc/group /etc/shadow
root@OpenWrt:~# sed -i -e "/^asdffdsa6131/d" /etc/passwd /etc/group /etc/shadow
root@OpenWrt:~# opkg update
Downloading http://downloads.openwrt.org/releases/19.07.4/targets/mvebu/cortexa9/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_core
Downloading http://downloads.openwrt.org/releases/19.07.4/targets/mvebu/cortexa9/packages/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/19.07.4/targets/mvebu/cortexa9/kmods/4.14.195-1-a92a3f5c5bed2671533484c7ace9d5b5/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_kmods
Downloading http://downloads.openwrt.org/releases/19.07.4/targets/mvebu/cortexa9/kmods/4.14.195-1-a92a3f5c5bed2671533484c7ace9d5b5/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/base/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_base
Downloading http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/base/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_luci
Downloading http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/luci/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_packages
Downloading http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/packages/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_routing
Downloading http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/routing/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_telephony
Downloading http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/telephony/Packages.sig
Signature check passed.
root@OpenWrt:~# opkg install shadow-useradd shadow-userdel shadow-usermod \
>     shadow-groupadd shadow-groupdel shadow-groupmod sudo
Package shadow-useradd (4.8.1-1) installed in root is up to date.
Package shadow-userdel (4.8.1-1) installed in root is up to date.
Package shadow-usermod (4.8.1-1) installed in root is up to date.
Package shadow-groupadd (4.8.1-1) installed in root is up to date.
Package shadow-groupdel (4.8.1-1) installed in root is up to date.
Package shadow-groupmod (4.8.1-1) installed in root is up to date.
Package sudo (1.8.28p1-1) installed in root is up to date.
root@OpenWrt:~# groupadd -r -g 10 wheel
groupadd: group 'wheel' already exists
root@OpenWrt:~# groupadd asdffdsa6131
root@OpenWrt:~# useradd -m -g asdffdsa6131 -G wheel -s /bin/ash asdffdsa6131
useradd: warning: the home directory /home/asdffdsa6131 already exists.
useradd: Not copying any file from skel directory into it.
root@OpenWrt:~# touch /etc/environment
root@OpenWrt:~# cat << EOF > /etc/sudoers.d/00-custom
> %wheel ALL=(ALL) ALL
> EOFuserdel asdffsa6131
> userdel asdffdsa6131
> sed -i -e "/^asdffsa6131/d" /etc/passwd /etc/group /etc/shadow
> sed -i -e "/^asdffdsa6131/d" /etc/passwd /etc/group /etc/shadow
> opkg update
> opkg install shadow-useradd shadow-userdel shadow-usermod \
>     shadow-groupadd shadow-groupdel shadow-groupmod sudo
> groupadd -r -g 10 wheel
> groupadd asdffdsa6131
> useradd -m -g asdffdsa6131 -G wheel -s /bin/ash asdffdsa6131
> touch /etc/environment
> cat << EOF > /etc/sudoers.d/00-custom
> %wheel ALL=(ALL) ALL
> EOF
root@OpenWrt:~#
24

that is what i did, what is wrong with the output i posted?
does this look ok?

root@OpenWrt:~# grep -e asdffdsa6131 /etc/passwd
asdffdsa6131:x:1000:1000::/home/asdffdsa6131:/bin/ash
root@OpenWrt:~# chown -R $(id -u asdffdsa6131):$(id -g asdffdsa6131) ~asdffdsa6131
root@OpenWrt:~# chmod -R go= ~asdffdsa6131
1 Like
25

No errors reported, that's good.

26

it works!
i can ssh in as asdffdsa6131

how can i verify that asdffdsa6131, what command can i run to test, not a root level user?

i would have thought that this command would error out

root@OpenWrt:/home/asdffdsa6131/.ssh# mkdir /root/test
root@OpenWrt:/home/asdffdsa6131/.ssh# ls /root/test
1 Like
27 
# Check current user
id

# Check specific user
id asdffdsa6131

The root UID/GID should be 0.

28 
asdffdsa6131@OpenWrt:~$ id
uid=1000(asdffdsa6131) gid=1000(asdffdsa6131) groups=10(wheel),1000(asdffdsa6131)
asdffdsa6131@OpenWrt:~$ id asdffdsa6131
uid=1000(asdffdsa6131) gid=1000(asdffdsa6131) groups=1000(asdffdsa6131),10(wheel)
29

id is not what i am looking for as proof.

what command can i run to prove asdffdsa6131 does not have sudo privileges?

30 
cat /etc/shadow
touch /test
31

thanks for the help. done for today.
tomorrow i will try Allow temporary privileged access using sudo

1 Like
32

This should already be configured using the wheel group.