Overview
Managing SSH access to your Linux servers, routers, switches and other endpoint devices are paramount to maintaining security.
This article describes how a security administrator can manage employees SSH access to Linux endpoint devices as a non-privileged system user, escalate the privileges and limit the commands that can be executed by the employee.
We will describe below three scenarios on how a DevOps engineer, ‘Alex’, will be accessing a remote server ‘web.noc.com’.
Scenario 1:-
How does user ‘Alex’ (DevOps Engineer) access the remote production server ‘web.noc.com’ as the non-privileged user ‘Developer’?
Step 1. Login to Ezeelogin webgui and create non-privileged user (SubSSH user) named ‘Developer’.
Step 2. Map the SubSSH user to the corresponding server groups. This will map all the users under the usergroup ‘Devops Engineers’ to subssh user ‘Developer’ on all the remote servers under the server group ‘Production Servers’.
Or follow Step3 to map individual users to SubSSH user ‘Developer’.
Step 3. Create the user ‘Alex’ on the gateway server ‘gw.noc.com’ via Ezeelogin webgui and map to the SubSSH user ‘Developer’.
Step 4: SSH into the gateway server ‘gw.noc.com’ as the user ‘Alex’ and then select the remote production server ‘web.noc.com’ and press the ‘tab’ key to view the server details, you can see that you have logged into the remote server as the non-privileged user (SubSSH) ‘Developer’ instead of ‘root’.
Scenario 2:-
How can the user ‘Alex’ login as non-privileged user ‘Developer’, then escalate the privileges and execute commands as the ‘root’ user on the server ‘web.noc.com’?
A non-privileged user ‘Alex’ can attain root privilege for a particular time if the security administrator grants permission. Here are the steps to configure user ‘Alex’ to escalate privileges and execute commands as the ‘root’ user on the production server ‘web.noc.com’ through the Ezeelogin gateway.
Step 1: Follow the steps mentioned in the above scenario for the user ‘Alex’ (DevOps Engineer) to access the remote production server ‘web.noc.com’ as the non-privileged user ‘Developer’.
Step 2: Grant privilege for the user ‘Alex’ to view the server password.
Step 2.1: Login to Ezeelogin administrator gui.
Step 2.2: Goto Access control >> User-action >> Select the user ‘alex’ >>Enable ‘view server Details’ and ‘view server password’ >> Save.
Step 3: Login to the remote server ‘web.noc.com’ from Ezeelogin gateway server ‘gw.noc.com’.
Step 4: Run the command ‘ezinfo’ or press ‘Tab’ key to know the server details.
Step 5: Now, Alex can use the root password and escalate the privilege to root user.
Here’s how the user ‘Alex’ (DevOps Engineer), initially logged in as the non-privileged user ‘Developer’, then escalated privileges to execute commands as the ‘root’ user on the server ‘web.noc.com’.
Scenario 3:-
How to restrict user Alex’s SSH access to a specific directory (/home/Developer/debug/downloads/), limit the execution of essential development commands (tcpdump, apt), and ensure they are executed as the non-privileged user ‘Developer’?
Step 1: Create a user ‘Developer’ and set the path to specific directory. In this example, the path is set to /home/Developer/debug/downloads/ by following Steps1-Steps2 in the above scenario.
Step 2: Execute the following command on the remote server ‘web.noc.com’ to modify the user ‘Developer’ and set the directory path.
# usermod -d /home/Developer/debug/downloads/ Developer; chmod 777 /home/Developer/debug/downloads
Step 3: Limit the commands using suders file on the remote server ‘web.noc.com’. [Refer the section Note, to create it on multiple server]
echo "Developer ALL=(ALL) NOPASSWD: /usr/bin/tcpdump, /usr/bin/apt" >> /etc/sudoers
Note – Use parallel shell feature to edit suders file on multiple servers.
Step 4: Check the syntax of sudoers file on the remote server ‘web.noc.com’.
visudo -c
Step 5: Login to the gateway server ‘gw.noc.com’ as the user ‘Alex’ and login to a remote production server ‘web.noc.com’ and run the commands.
Conclusion :-
In conclusion, securing SSH access for employees on Linux servers are crucial for maintaining robust system security. By following the outlined procedures, such as creating non-privileged users and enforcing command restrictions, organizations can significantly reduce the risk of unauthorized access and potential system breaches.
Using Ezeelogin SSH jump server software, administrators can streamline user management and privilege access management, enhancing operational efficiency and many more without compromising security.
Refer the video for more information