version

SSH Access Management

shape
shape
shape
shape
shape
shape
shape
shape

Overview

Managing SSH access to your Linux servers, routers, switches and other endpoint devices are paramount to maintaining security.  

This article describes how a security administrator can manage employees SSH access to Linux endpoint devices as a non-privileged system user, escalate the privileges and limit the commands that can be executed by the employee.

We will describe below three scenarios on how a DevOps engineer, ‘Alex’, will be accessing a remote server ‘web.noc.com’.

Scenario 1:-

How does user ‘Alex’ (DevOps Engineer) access the remote production server ‘web.noc.com’ as the non-privileged user ‘Developer’?
login as non-privileged user

Step 1. Login to Ezeelogin webgui and create non-privileged user (SubSSH user) named ‘Developer’.

subssh
subssh user

Step 2. Map the SubSSH user to the corresponding server groups. This will map all the users under the usergroup ‘Devops Engineers’ to subssh user ‘Developer’ on all the remote servers under the server group ‘Production Servers’.

subssh user map ssh jump server

Or follow Step3 to map individual users to SubSSH user ‘Developer’.

Step 3. Create the user ‘Alex’ on the gateway server ‘gw.noc.com’ via Ezeelogin webgui and map to the SubSSH user ‘Developer’.

subssh in ssh jumpserver

Step 4: SSH into the gateway server ‘gw.noc.com’ as the user ‘Alex’ and then select the remote production server ‘web.noc.com’ and press the ‘tab’ key to view the server details, you can see that you have logged into the remote server as the non-privileged user (SubSSH) ‘Developer’ instead of ‘root’.

subssh in ssh gateway
subssh ssh jumpserver

Scenario 2:-

How can the user ‘Alex’ login as non-privileged user ‘Developer’, then escalate the privileges and execute commands as the ‘root’ user on the server ‘web.noc.com’?

A non-privileged user ‘Alex’ can attain root privilege for a particular time if the security administrator grants permission. Here are the steps to configure user ‘Alex’ to escalate privileges and execute commands as the ‘root’ user on the production server ‘web.noc.com’ through the Ezeelogin gateway.

privilege escalation in ssh

Step 1: Follow the steps mentioned in the above scenario for the user ‘Alex’ (DevOps Engineer) to access the remote production server ‘web.noc.com’ as the non-privileged user ‘Developer’.

Step 2: Grant privilege for the user ‘Alex’ to view the server password.

               Step 2.1: Login to Ezeelogin administrator gui.

               Step 2.2: Goto Access control >> User-action >> Select the user ‘alex’ >>Enable ‘view server Details’ and ‘view server password’ >> Save.

access control in ezeelogin

Step 3: Login to the remote server ‘web.noc.com’ from Ezeelogin gateway server ‘gw.noc.com’.

Step 4: Run the command ‘ezinfo’ or press ‘Tab’ key to know the server details.

privilege escalation

Step 5: Now, Alex can use the root password and escalate the privilege to root user.

switch user in ezeelogin

Here’s how the user ‘Alex’ (DevOps Engineer), initially logged in as the non-privileged user ‘Developer’, then escalated privileges to execute commands as the ‘root’ user on the server ‘web.noc.com’.

Scenario 3:-

How to restrict user Alex’s SSH access to a specific directory (/home/Developer/debug/downloads/), limit the execution of essential development commands (tcpdump, apt), and ensure they are executed as the non-privileged user ‘Developer’?
command restriction in ssh jumpserver

Step 1: Create a user ‘Developer’ and set the path to specific directory. In this example, the path is set to /home/Developer/debug/downloads/ by following Steps1-Steps2 in the above scenario.

Step 2: Execute the following command on the remote server ‘web.noc.com’ to modify the user ‘Developer’ and set the directory path.

				
					# usermod -d /home/Developer/debug/downloads/ Developer; chmod 777 /home/Developer/debug/downloads
				
			

Step 3: Limit the commands using suders file on the remote server ‘web.noc.com’. [Refer the section Note, to create it on multiple server]

				
					echo "Developer ALL=(ALL) NOPASSWD: /usr/bin/tcpdump, /usr/bin/apt" >> /etc/sudoers
				
			

Note – Use parallel shell feature to edit suders file on multiple servers.

Step 4: Check the syntax of sudoers file on the remote server ‘web.noc.com’.

				
					visudo -c


				
			

Step 5: Login to the gateway server ‘gw.noc.com’ as the user ‘Alex’ and login to a remote production server ‘web.noc.com’ and run the commands.

command restriction in jumpserver

Conclusion :-

In conclusion, securing SSH access for employees on Linux servers are crucial for maintaining robust system security. By following the outlined procedures, such as creating non-privileged users and enforcing command restrictions, organizations can significantly reduce the risk of unauthorized access and potential system breaches.

Using Ezeelogin SSH jump server software, administrators can streamline user management and privilege access management, enhancing operational efficiency and many more without compromising security.

Refer the video for more information

Leave a Reply

Your email address will not be published. Required fields are marked *