2

I run a small server running Ubuntu Server 14.04 and have just noticed that the .ssh folder in the users home directory is accessible via SMB and NFS.

The SMB and NFS are both secured, however I feel this is a weak spot in the server security as I have restricted access to SSH via key auth only.

What does everyone do in terms of ensuring the .ssh folder cannot be reached except from via SSH.

I have been looking around and cannot find a generally accepted method. I have looked into restricting and excluding access to certain folders within NFS and SMB shares but this feels more like a workaround than a specific solution to me.

Craig Lowe
  • 21
  • 2
  • What is your percieved danger? Users with SSH access changing their keys etc, or users without SSH access giving themselves SSH access? Or something else? – fukawi2 Jul 03 '15 at 01:16

2 Answers2

1

Modifying Samba and/or NFS is not the proper solution here.

Instead further restrict ssh access in /etc/ssh/sshd_config to those users which should have access by using AllowGroups/AllowUsers. You may also be interesting in using Match blocks, depending on your situation.

84104
  • 12,905
  • 6
  • 45
  • 76
0

You will want to configure veto files in the settings.

https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#VETOFILES

On top of that you should make sure that the settings for these directories are 600 or lower. So no other users can execute. But if its only the one user that is accessing their own home directory the risk should be minimal. It would be ill advised to smb the entire /home/ for everyone to access.

chrisw9808
  • 309
  • 1
  • 5
  • Thank you. What would you suggest for NFS shares though? I know the risk is minimal, just made me curious as the key auth is to drastically reduce the effectiveness brute force attacks, where as SMB could be brute forced. – Craig Lowe Jun 25 '15 at 14:58
  • 700 or 600 permissions should allow only the user who owns the directory access it and the nfs user on the server will not be able to export it. You could also symlink the directory you do want to export to a new directory then export that but it would all depend on your setup. – chrisw9808 Jun 25 '15 at 15:11