Jump to content

dealing with root user

clearzero

Recommended Posts

  • Replies 59
  • Created
  • Last Reply
limetech Veteran

limetech

Posted
Posted

For security reason Telnet should be disabled by default and install OpenSSH

 

It has been requested, several times. It would be nice that the package already come with unRaid for the greater good.

 

Here's the issue with this.  If you are worried about telnet then you are worried about a 'man in the middle' attack, ie, a packet sniffer somewhere on your network (teenage son's PC?), waiting to steal your password.  Ok, but in this scenario your browser is also using 'Basic' authentication, which transmits your password in the header of every http request, granted as base64, but anyone setting up a sniffer is also going to be able to easily convert base64 to plain text.  So to add proper security, in addition to ssh for console access, we'll need to implement I guess 'Digest' authentication for webGui access - but I'm not sure about the browser support for this, and besides, I think there are still issues in trying to "log out"; maybe we have to go to full https, but damn that seems like overkill - any other options?

Link to comment
madburg Collaborator

madburg

Posted
Posted

Except that would break a TON of forum posts with help and documentation that refers to telnet.  Joe user doesn't have a robust client like putty or know how to change port numbers.

I can understand the doc's would be a pain but should not be the driver for not making such a change. Telnet could still be enabled if one wishes to. Joe user doesn't know what telnet is either :)

Anyone playing with an OS for the first time is lost... I am no Linux/Unix guru but correct me if I am wrong ssh is what I use to connect to any of them, same goes for switches, routers etc. Microsoft has telnet available, but I don't know anyone using it due to security. Like I meantioned it would be for the greater good. Putty / winscp are easily acquired. As an example i used winscp to get a better handle and understanding for what was created with unRAID, versus learning how to move around in a shell and try to open files, etc.

 

Glad Tom brought up the Browser, I was curious on that. Reason is, while we have the option to keep everything wide open, one can choose to only allow reading of said media files open but not modifications. I personally also store backups, etc. under what I believe to be private shares. And by having basic auth. This kills everything else that's done to keep such data private, as you can just go after the unRAID server(s).

 

I completely understand this cannot be changed overnight. Thinking it through a bit more, default of ssh and secure web access additions should be the right direction. Keeping the option for telnet and basic auth via http can remain for those who wish, is not a problem. Let's keep in mind how many company's get bashed for having such practices. This would be a sign/direction of a good maturing product.

 

How does the AD model work? Same basic auth via the browser? I started with unRAID as just media storage but see more usage for it. I was actually talking about it with one client and it sparked their interest  for a lower cost disk to disk backup storage. So I will be looking into testing the AD model in unRAID in the near future for possible corporate usage as well.

 

 

 

Link to comment
sacretagent Collaborator

sacretagent

Posted
Posted

Good news and bad news... the 'nobody' user's shell is now set to '/bin/bash', but for some reason, the file '/etc/nologin' is not in the -rc4 release, so I will have to produce a -rc5.  So right now you can log in as user 'nobody' and no password is required - this is probably a slight security vulnerability :o

 

Tom should we wait to upgrade till rc5 is coming out ?

also i have this in my go file already

 

usermod -s /bin/bash nobody

 

Guess i can delete that after running rc5 ?

 

Link to comment
ClunkClunk Contributor

ClunkClunk

Posted
Posted

I can understand the doc's would be a pain but should not be the driver for not making such a change. Telnet could still be enabled if one wishes to. Joe user doesn't know what telnet is either :)

 

Agreed wholeheartedly. Not implementing ssh as default and sticking with telnet simply because Windows doesn't ship with an ssh client is tailoring security for just one OS, seems short sighted.

 

Frankly, any user that can build an unRAID setup and realizes they need console access is probably skilled enough to download and configure an ssh client (or uses an OS that actually includes it by default).

Link to comment
prostuff1 Mentor

prostuff1

Posted
Posted

Agreed wholeheartedly. Not implementing ssh as default and sticking with telnet simply because Windows doesn't ship with an ssh client is tailoring security for just one OS, seems short sighted.

 

Frankly, any user that can build an unRAID setup and realizes they need console access is probably skilled enough to download and configure an ssh client (or uses an OS that actually includes it by default).

You are over-estimating the general users competence and there knowledge.  I know a lot of people I have built servers for that would not know the first thing about getting ssh up and running

Link to comment
ClunkClunk Contributor

ClunkClunk

Posted
Posted

You are over-estimating the general users competence and there knowledge.  I know a lot of people I have built servers for that would not know the first thing about getting ssh up and running

So installing and configuring putty is outside of their ability, but using console commands is?

Link to comment
Joe L. Grand Master

Joe L.

Posted
Posted

You are over-estimating the general users competence and there knowledge.  I know a lot of people I have built servers for that would not know the first thing about getting ssh up and running

So installing and configuring putty is outside of their ability, but using console commands is?

true... even the console commands are difficult for some, as they confuse "1" with "l", etc...
Link to comment
ClunkClunk Contributor

ClunkClunk

Posted
Posted

Making ssh default (but having telnet be an option to enable from within the GUI) would also prevent the casual user from accidentally easily logging in via telnet and causing havoc, but if support assistance is needed, the user could enable telnet from the GUI, then log in without having to install extra software (and then disable telnet when done).

Link to comment
Joe L. Grand Master

Joe L.

Posted
Posted

Making ssh default (but having telnet be an option to enable from within the GUI) would also prevent the casual user from accidentally easily logging in via telnet and causing havoc, but if support assistance is needed, the user could enable telnet from the GUI, then log in without having to install extra software (and then disable telnet when done).

unfortunately, many many  issues are where the GUI interface is not available.

 

 

Link to comment
jumperalex Rising Star

jumperalex

Posted
Posted

Agreed wholeheartedly. Not implementing ssh as default and sticking with telnet simply because Windows doesn't ship with an ssh client is tailoring security for just one OS, seems short sighted.

 

Frankly, any user that can build an unRAID setup and realizes they need console access is probably skilled enough to download and configure an ssh client (or uses an OS that actually includes it by default).

You are over-estimating the general users competence and there knowledge.  I know a lot of people I have built servers for that would not know the first thing about getting ssh up and running

 

The key part of what you said here is " ... people [YOU] have built servers for ..."  ClunkClunk's point was that anyone" ... who can build an unRAID setup ..."

 

So when you build a setup you can install / enable telent on unRAID or provide them a CD with a PC/MAC SSH installer and instructions.  As a VAR that is what you do.  That doesn't mean the DIY community shouldn't get SSH in unRAID

Link to comment
ClunkClunk Contributor

ClunkClunk

Posted
Posted

So when you build a setup you can install / enable telent on unRAID or provide them a CD with a PC/MAC SSH installer and instructions.  As a VAR that is what you do.  That doesn't mean the DIY community shouldn't get SSH in unRAID

 

Thanks for restating that. I think it was missed.

 

Also Mac users won't have to be provided with an ssh client, as it's already included (Windows is the exception).

Link to comment
prostuff1 Mentor

prostuff1

Posted
Posted

The key part of what you said here is " ... people [YOU] have built servers for ..."  ClunkClunk's point was that anyone" ... who can build an unRAID setup ..."

 

So when you build a setup you can install / enable telent on unRAID or provide them a CD with a PC/MAC SSH installer and instructions.  As a VAR that is what you do.  That doesn't mean the DIY community shouldn't get SSH in unRAID

What I said also applies to most of my friends and family that have built server for themselves.

 

Adding SSH is fine, but disabling telnet by default is not a good thing to do in my opinion.

Link to comment
jumperalex Rising Star

jumperalex

Posted
Posted

[shrug] I guess I don't see the problem with disabling telnet by default if the user can reenable it via the GUI.  I'm all for options and that means including both SSH and telent.  But I'm also for security by default and that means BOTH are off-by-default.  Same with FTP, SFTP, http server, etc.

 

But this starts to get into the larger discussion of unRAID not being designed to be secure.  I don't expect NSA level hardnening and code auditing, but it would be nice if all services not related to the array and array management were off-by-default

Link to comment
Joe L. Grand Master

Joe L.

Posted
Posted

 

Also Mac users won't have to be provided with an ssh client, as it's already included (Windows is the exception).

 

blah blah blah ... Macs are soooo cool ... blah blah blah  ;D

Attacks on an OS are not warranted.  (please control yourself)

 

Window's is not an exception.  It is just a BSOD waiting to happen.  ;)  Telnet is not visible to most users unless they enable it. 

 

Joe L.

Link to comment
Griz Rookie

Griz

Posted
Posted

As a typical luser who does not know much about linux and does not have any desire to learn, all of these user privilege issues really turn me off and were extremely frustrating when I upgraded from 4.7...  The main issue there was the privilege script said something like "this could take a while"...  That was the understatement of the year, it should have said "do this right before you go to bed because it might not be finished until tomorrow!"

 

The only reason I would want to telnet to the server is to log in, type "mc" and move some files around instead of waiting for Windoze Exploder to copy stuff down and back up....  It sounds like I will break things if I try to do that in 5.0...

 

What the average user needs is a native Windoze file manager GUI that sends telnet commands behind the scenes to do high performance file management operations on the server.

Link to comment
limetech Veteran

limetech

Posted
Posted

As a typical luser who does not know much about linux and does not have any desire to learn, all of these user privilege issues really turn me off and were extremely frustrating when I upgraded from 4.7...  The main issue there was the privilege script said something like "this could take a while"...  That was the understatement of the year, it should have said "do this right before you go to bed because it might not be finished until tomorrow!"

 

The only reason I would want to telnet to the server is to log in, type "mc" and move some files around instead of waiting for Windoze Exploder to copy stuff down and back up....  It sounds like I will break things if I try to do that in 5.0...

 

What the average user needs is a native Windoze file manager GUI that sends telnet commands behind the scenes to do high performance file management operations on the server.

 

You bring up extremely valid points, thank you for your feedback!

Link to comment
madburg Collaborator

madburg

Posted
Posted

It would not matter to me which is enabled and disabled by default. As long as ssh was already included in unRaid. Security wise telnet would be the one disabled, but not an issue if it was the one enabled by default.

 

Correct me if I am wrong when the GUI crashes, ssh would be just as much available as telnet, no?

 

As for anyone that does not wish to know anything about Linux, etc. then Tom would be required to build a total upgrade script that does all the work. (verify drives, etc..) And show the progress of the upgrade. Would that be worth wild, I do t believe so. There are system builders here that could help assist 4.7 owners to 5.0 once it's final.

 

You had to read enought to know what needed to be updated and selected the new permission button, so you learned something, like it or not :)

 

Link to comment
ClunkClunk Contributor

ClunkClunk

Posted
Posted

The only reason I would want to telnet to the server is to log in, type "mc" and move some files around instead of waiting for Windoze Exploder to copy stuff down and back up....  It sounds like I will break things if I try to do that in 5.0...

 

What the average user needs is a native Windoze file manager GUI that sends telnet commands behind the scenes to do high performance file management operations on the server.

 

Some Linux based NAS systems use a browser-based utility to do exactly that. You can move things around on the server without having to copy to/from your machine, and since it's browser based, it's OS agnostic and permissions can be maintained behind the scenes. I'd love to see unRAID with an equivalent (maybe a plugin?).

Link to comment

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...