Bob Killick wrote:
Hello:
I am trying to load NAV 3.1.1 onto a basic CentOS4.4 installation.
My problem is likely embarrassingly simple and concerns a point near the start of the "InstallingOnRHEL4" document for NAV3.1.1.
.. at the section.
## ## Make a local user ## useradd -c "John Doe" nn
passwd nn
.. I create a simple user called "NAVNIA" as well as an appropriate password.
Soon thereafter you are asked to reboot and log in as the new user.
.. Logged in as NAVNIA, that user has no root privilege or access to root level commands that now have to be executed to complete the install. While I know it is best practice not to run as root, I just don't get what I need to do to have the new user (NAVNIA) complete the install. It doesn't seem right to simply su root every time you need that privilege.
As I siad. a very basic question I'm sure, but my MS-Windows admin experience is simply no help here and my access to Linux help is simply zero. I am quite interested in getting NAV up and running as a means of show-casing the OpenSource possibilities as well as hhoping to see a viable alternative to our Pergrine PND NMS. Our network has about 1600 devices and NAV looks very inviting!
Any insight would be appreciated.
Hi Bob.
Welcome to the world of NAV.
The reason I wrote the document InstallingOnRHEL4 is that I know that there are people that wants to use programs like NAV but still does not have the knowledge to find out how to get it running on a Linux machine. Don't worry, that knowledge will be there soon, it is much easier than the Linux hackers wants you to believe :-)
But I obviously failed in this part of the documentation. Yes, you are right. Best practice, also on Linux, is to not run as root before you really need to.
But installation of NAV requires root _all the time_.
So why then the local user? Answer: we have sshd running.
Your local user(s) are accounts that are not default accounts, like root is. Since I did not do any setup for the built-in firewall that means this ssh server is open for everyone to try to log in to. And since all Linux machines has root that is the account they will try the most to guess the password on. You should see the ssh logs from the machines I have ssh open to the world :-)
As you can see right below the local users creation I added, among others, a line in the config for sshd that says "AllowUsers nn". This "AllowUsers" line means that only the specified accounts are allowed to log in through sshd. You may see that I have a "PermitRootLogin no" line there also, but that only "kicks in" when you don't have a "AllowUsers" line. Then all other accounts than root are allowed to log in, also other default accounts.
So this is how I work when installing NAV. I make the local user. After reboot I log in to the server with the program putty[1] from my Windows workstation (so I can sit in my office instead of in the server-room, have a much bigger window than the console screen, and can copy and paste from the installation manual) as the local user and then use the command:
[user@nav ~]$ su - Password: [root@nav ~]#
and then I continue with the installation manual.
I hope this answers your question of why you have to su root all the time.
I will in the next version of the InstallingOnRHEL4 configure the firewall, specifying which ip addresses that will be allowed to ssh to the machine, but that is still no reason to not have a local user, and to not add these lines to the sshd configuration. Security in depth is always the best.
Best regards,
- Roger
PS Do you use the new version of InstallingOnRHEL4 with edits by Morten Brekkevold for the 3.1 version?
[1] http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html