FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 04-12-2012, 05:52 AM
"J. Bakshi"
 
Default How to restrict normal ssh user to become root ?

Hello list,

How can I prevent general ssh users not to have su or sudo power ?
Just they know the root password by any chance....
In the remote box remote root login is disable and one can only
login as normal user and then need to do su to get root access. Only few
users know root password. How can I prevent the other login to use su / sudo
even they know root password by any means ?

Thanks


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120412112204.0f54a876@shiva.selfip.org">http://lists.debian.org/20120412112204.0f54a876@shiva.selfip.org
 
Old 04-12-2012, 09:06 AM
Brian
 
Default How to restrict normal ssh user to become root ?

On Thu 12 Apr 2012 at 11:22:04 +0530, J. Bakshi wrote:

> How can I prevent general ssh users not to have su or sudo power ?
> Just they know the root password by any chance....
> In the remote box remote root login is disable and one can only
> login as normal user and then need to do su to get root access. Only few
> users know root password. How can I prevent the other login to use su / sudo
> even they know root password by any means ?

You are attempting to solve a social problem using technical means. This
will fail. If you do not trust the users who have the root password they
should not be in possession of it.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120412090642.GQ16316@desktop">http://lists.debian.org/20120412090642.GQ16316@desktop
 
Old 04-12-2012, 10:51 AM
Andrei POPESCU
 
Default How to restrict normal ssh user to become root ?

On Jo, 12 apr 12, 11:22:04, J. Bakshi wrote:
> Hello list,
>
> How can I prevent general ssh users not to have su or sudo power ?
> Just they know the root password by any chance....
> In the remote box remote root login is disable and one can only
> login as normal user and then need to do su to get root access. Only few
> users know root password. How can I prevent the other login to use su / sudo
> even they know root password by any means ?

Disable the root password completely and use only 'sudo'.

Kind regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
 
Old 04-12-2012, 12:38 PM
Armin Haas
 
Default How to restrict normal ssh user to become root ?

For su, maybe using pam_wheel.so in /etc/pam.d/su is what you are
looking for.

sudo has its own conf file(s) (/etc/sudoers and all files in
/etc/sudoers.d/) in addition to /etc/pam.d/sudo

Consider the possibility that the users you don't trust and who know the
root password already installed a backdoor on your box.

Cheers

Armin
 
Old 04-13-2012, 05:15 AM
"J. Bakshi"
 
Default How to restrict normal ssh user to become root ?

On Thu, 12 Apr 2012 14:38:30 +0200
Armin Haas <armin@awawa.de> wrote:

> For su, maybe using pam_wheel.so in /etc/pam.d/su is what you are
> looking for.
>
> sudo has its own conf file(s) (/etc/sudoers and all files in
> /etc/sudoers.d/) in addition to /etc/pam.d/sudo
>
> Consider the possibility that the users you don't trust and who know the
> root password already installed a backdoor on your box.
>
> Cheers
>
> Armin

Many many thanks. Based on your clue I get this link

http://mindref.blogspot.in/2010/04/protect-su-with-pamwheel.html

This is exactly what I have been looking for long.

Once again Thanks


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120413104518.542da64a@shiva.selfip.org">http://lists.debian.org/20120413104518.542da64a@shiva.selfip.org
 
Old 04-13-2012, 11:18 AM
Brian
 
Default How to restrict normal ssh user to become root ?

On Fri 13 Apr 2012 at 10:45:18 +0530, J. Bakshi wrote:

> Many many thanks. Based on your clue I get this link
>
> http://mindref.blogspot.in/2010/04/protect-su-with-pamwheel.html
>
> This is exactly what I have been looking for long.

Your users A and B are given the root password. Users X and Y are not
so they can only acquire it through A or B. If A is slack in looking
after the root password there is no reason to believe she would be any
more careful in guarding the password for her own account. X can now
add himself to the wheel group,

Y is actually well ahead of you. She knew about pam_wheel and has set
it up to su without a password. She has also devised a way of hiding
what she has done from you.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120413111856.GU16316@desktop">http://lists.debian.org/20120413111856.GU16316@desktop
 

Thread Tools




All times are GMT. The time now is 04:40 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org