Hank Beaver

Is it possible to audit Unix/Linux server root access per task and on temporary basis?

Yes.

Years ago I wrote a ’sudo’ equivalent in W32, but with a big twist. It was called “RunAuth”. It used the API “run as” mechanisms. It gave admin access based on an OTP (http://en.wikipedia.org/wiki/One_time_password). The OTP was NOT automatic. The person had to call the helpdesk to get a code. It was based on a shared secret and MD5. Secondly, the code provided  defined the exact process that could be executed by the RunAuth client.

Use Case:
Field Sales Person wants to install a new HP Printer. User does NOT have local admin. How to install a printer driver without shipping computer to IT?

Solution:
Start RunAuth, choose install printer driver, a challenge code is presented. Tell the IT person over the phone the code. They provide a response that immediately executes the install printer wizard as admin. The actual MD5 signature of the DLL or EXE is also validated before running to ensure no trojan or backdoor is created. Upon completion of task, the machine logs out the user or requires reboot.

Point:
The same can be accomplished in Linux.
Think of sudo with one time password access. Why is this important? Because that means admins don’t have single control over root access. It requires “dual” access. Someone else who is not an admin, has to consent to the changes or stated objective to provide the admin a one time sudo password. So if the automated provisioning cannot handle a task or an emergency occurs, there is still a regimented procedure to perform ad hoc tasks,but there is change control enforced at the OS.

I’d like to have opinions?

H

The problem is how to securely lock down your firewalls for very privileged services like SSH or a intranet server?

Is adding port knocking together with OTP a good,solid solution for perimeter defense? I’m going to play with this. The idea:

• Port knock sequence numbers are based on a secret key and a cipher to create an 16 bit sequence or port numbers. ex. “7111 31189 40922″.
  1. That is UDP knock: 7111, 31189, and 40922.
  2. These numbers change approx. every 1-2 minutes. based on secret key and cipher and date/time seed.
• The payload of each packet is a sequence number + 2 digit OTP number.
  ex: packet 1: “1|3dz”, packet 2: “2|js9″, packet 3: “3|34m”
• There is a REQUEST packet that goes on another port based on cipher, ex. 5433 (changes daily?)
  The request packet provides the next sequence number,asks for what port to open: 22, ssh in this example that is ENCRYPTED also with IP Address. like so: “4|22|67.100.40.23″ => encrypted as “f321a0a5eb48f2ef2f89f52124bcc11a”
• The entire sequence is started by a START port number and END port number that changes every day with a simple string as payload. ex: START port: 8765,END port: 64100.So the entire OTP +port knock sequence from my OTP+port knock client:
• • UDP:8765=>”START_PK_SEQ”
  • UDP: 7111 -> “1|3dz”
  • UDP: 31189 => “2|js9″
  • UDP: 40922 => “3|34m”
  • UDP: 5433 => ‘f321a0a5eb48f2ef2f89f52124bcc11a”
  • UDP:64100=>”END_PK_SEQ”Port 22 is now open on the host firewall for the requesting ip based on successfully decrypting packet #5.
• In theory this would be resistant against man-in-the-middle and reply attacks.