Friday, July 23, 2010

sshdo, an alternative to sudo

With sudo, you can execute any or custom command as the root user, optionally asking for your password. That poses some risk if someone knows your password (e.g. by logging/tapping).
But you could replace sudo with something that can login locally via other means like SSH. You need to use SSH(-agent) forwarding to pass down your identity so you won't have to type in any password. You then can decide with -A or -a option for ssh whether to enable or disable SSH forwarding (and thus root access).
It's not very fine grained though and it won't ask for a password each time you 'sshdo' but you could probably set something up with PAM settings (multi-factor). I'll look into that later.
Anyway, for root: /root/.ssh/authorized_keys should contain the allowed key. You'll want root access only locally and only via passwordless-authentication. For that, add to /etc/sshd_config

PermitRootLogin no
Match Address 127.0.0.1
        PermitRootLogin without-password

In your normal user directory, you can add an easy-to-use alias similar to sudo to ~/.bashrc or ~/.bash_profile

alias sshdo='ssh -q -t root@localhost -- cd $PWD \&\& sudo'

Test it and then disable sudo.
Hopefully this gives some good ideas.

Tuesday, July 20, 2010

Static ARP script for OSX

For security reasons, you may wish to set a static ARP entry for your gateway. This script automates this step. Note that this doesn't prevent DHCP or MAC spoofing however.
The script runs whenever a network connection is made or broken by using the launchd feature to check a path for changes. In this case, I used resolv.conf.
The scripts determines the default gateway IP address and then keep trying to find the corresponding MAC address in the ARP table. Then it sets up the static ARP entry.
Two files are needed: one launchd configuration file and a shell script file. You need to give execute rights on the shell script with chmod +x. Copy the files in place and rename/edit the filenames. You need to restart to make the configuration active.

The contents of /Users/darkfader/static-arp.sh:

#!/bin/bash
# if the resolv.conf file was deleted, create an empty one to enable file watch again
touch /var/run/resolv.conf
while true; do
        IP=$(netstat -rn | grep -m 1 default | tr -s ' ' | cut -d' ' -f 2)
        if [ "$IP" == "" ]; then
                exit 0
        fi
        MAC=$(arp -an | grep -m 1 $IP | tr -s ' ' | cut -d' ' -f 4)
        if [ "$MAC" == "" ]; then
                sleep 1
                continue
        fi
        arp -S $IP $MAC
        exit 0
done

The contents of /Library/LaunchDaemons/net.darkfader.static-arp.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Label</key>
        <string>net.darkfader.static-arp</string>
        <key>ProgramArguments</key>
        <array>
                <string>/Users/darkfader/static-arp.sh</string>
        </array>
        <key>QueueDirectories</key>
        <array/>
        <key>WatchPaths</key>
        <array>
                <string>/var/run/resolv.conf</string>
        </array>
</dict>
</plist>