Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian User (http://www.linux-archive.org/debian-user/)
-   -   How to restrict normal ssh user to become root ? (http://www.linux-archive.org/debian-user/655147-how-restrict-normal-ssh-user-become-root.html)

"J. Bakshi" 04-12-2012 05:52 AM

How to restrict normal ssh user to become root ?
 
Hello list,

How can I prevent general ssh users not to have su or sudo power ?
Just they know the root password by any chance....
In the remote box remote root login is disable and one can only
login as normal user and then need to do su to get root access. Only few
users know root password. How can I prevent the other login to use su / sudo
even they know root password by any means ?

Thanks


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120412112204.0f54a876@shiva.selfip.org">http://lists.debian.org/20120412112204.0f54a876@shiva.selfip.org

Brian 04-12-2012 09:06 AM

How to restrict normal ssh user to become root ?
 
On Thu 12 Apr 2012 at 11:22:04 +0530, J. Bakshi wrote:

> How can I prevent general ssh users not to have su or sudo power ?
> Just they know the root password by any chance....
> In the remote box remote root login is disable and one can only
> login as normal user and then need to do su to get root access. Only few
> users know root password. How can I prevent the other login to use su / sudo
> even they know root password by any means ?

You are attempting to solve a social problem using technical means. This
will fail. If you do not trust the users who have the root password they
should not be in possession of it.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120412090642.GQ16316@desktop">http://lists.debian.org/20120412090642.GQ16316@desktop

Andrei POPESCU 04-12-2012 10:51 AM

How to restrict normal ssh user to become root ?
 
On Jo, 12 apr 12, 11:22:04, J. Bakshi wrote:
> Hello list,
>
> How can I prevent general ssh users not to have su or sudo power ?
> Just they know the root password by any chance....
> In the remote box remote root login is disable and one can only
> login as normal user and then need to do su to get root access. Only few
> users know root password. How can I prevent the other login to use su / sudo
> even they know root password by any means ?

Disable the root password completely and use only 'sudo'.

Kind regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic

Armin Haas 04-12-2012 12:38 PM

How to restrict normal ssh user to become root ?
 
For su, maybe using pam_wheel.so in /etc/pam.d/su is what you are
looking for.

sudo has its own conf file(s) (/etc/sudoers and all files in
/etc/sudoers.d/) in addition to /etc/pam.d/sudo

Consider the possibility that the users you don't trust and who know the
root password already installed a backdoor on your box.

Cheers

Armin

"J. Bakshi" 04-13-2012 05:15 AM

How to restrict normal ssh user to become root ?
 
On Thu, 12 Apr 2012 14:38:30 +0200
Armin Haas <armin@awawa.de> wrote:

> For su, maybe using pam_wheel.so in /etc/pam.d/su is what you are
> looking for.
>
> sudo has its own conf file(s) (/etc/sudoers and all files in
> /etc/sudoers.d/) in addition to /etc/pam.d/sudo
>
> Consider the possibility that the users you don't trust and who know the
> root password already installed a backdoor on your box.
>
> Cheers
>
> Armin

Many many thanks. Based on your clue I get this link

http://mindref.blogspot.in/2010/04/protect-su-with-pamwheel.html

This is exactly what I have been looking for long.

Once again Thanks


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120413104518.542da64a@shiva.selfip.org">http://lists.debian.org/20120413104518.542da64a@shiva.selfip.org

Brian 04-13-2012 11:18 AM

How to restrict normal ssh user to become root ?
 
On Fri 13 Apr 2012 at 10:45:18 +0530, J. Bakshi wrote:

> Many many thanks. Based on your clue I get this link
>
> http://mindref.blogspot.in/2010/04/protect-su-with-pamwheel.html
>
> This is exactly what I have been looking for long.

Your users A and B are given the root password. Users X and Y are not
so they can only acquire it through A or B. If A is slack in looking
after the root password there is no reason to believe she would be any
more careful in guarding the password for her own account. X can now
add himself to the wheel group,

Y is actually well ahead of you. She knew about pam_wheel and has set
it up to su without a password. She has also devised a way of hiding
what she has done from you.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120413111856.GU16316@desktop">http://lists.debian.org/20120413111856.GU16316@desktop


All times are GMT. The time now is 06:32 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.