FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 08-18-2008, 09:09 PM
Knapp
 
Default ssh and tty and sudoers file.

From sudoers man file.





"


requiretty



If set, sudo will only run when the user is logged in to a real tty. This will disallow things like "rsh somehost sudo ls" since
rsh(1) does not
allocate a tty. Because it is not possible to turn off echo when there
is no tty present, some sites may with to set this flag to
prevent a user from entering a visible password. This flag is off by default.


"




Does ssh log into a real tty??
If not then all we have to do to limit sudo use to the local keyboarder is set this, right?

--
Douglas E Knapp

http://sf-journey-creations.wikispot.org/Front_Page



--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-18-2008, 11:28 PM
"Brian McKee"
 
Default ssh and tty and sudoers file.

On Mon, Aug 18, 2008 at 5:09 PM, Knapp <magick.crow@gmail.com> wrote:
> From sudoers man file.
>
> "
>
> requiretty
>
> If set, sudo will only run when the user is logged in to a real tty.
{snip}
> Does ssh log into a real tty??
> If not then all we have to do to limit sudo use to the local keyboarder is
> set this, right?

ssh normally logs into a pty - see?

> 29076 ? S 0:00 sshd: brian@pts/0
> 29078 pts/0 Rs 0:00 \_ -bash
> 29101 pts/0 R+ 0:00 \_ ps xfw
> 29102 pts/0 S+ 0:00 \_ less

But, it can be overridden - see man ssh
> -t Force pseudo-tty allocation. This can be used to execute arbitrary screen-based
> programs on a remote
> machine, which can be very useful, e.g. when implementing menu services.
> Multiple -t options force tty
> allocation, even if ssh has no local tty.

sshd (note the d) has a no-pty option, but I don't know how that works.

I'm not an sudo expert - but it would seem more natural to me to
restrict sudo by group membership rather than physical location.
After all, if you trust them with access to sudo then you should trust
them not to lose their ssh key... Note also (and you may know this)
that sudo can be very finely tuned so that it only runs certain
programs etc etc.

lastly I see from a google search that ssh can deny groups as well as users -
http://www.cyberciti.biz/tips/openssh-deny-or-restrict-access-to-users-and-groups.html
so why not put all the sudo people in a group and then deny that group thru ssh?

Obviously, test whatever you set up.

HTH
Brian

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-19-2008, 05:22 AM
Knapp
 
Default ssh and tty and sudoers file.

On Tue, Aug 19, 2008 at 1:28 AM, Brian McKee <brian.mckee@gmail.com> wrote:

On Mon, Aug 18, 2008 at 5:09 PM, Knapp <magick.crow@gmail.com> wrote:

> From sudoers man file.

>

> "

>

> requiretty

>

> If set, sudo will only run when the user is logged in to a real tty.

{snip}

> Does ssh log into a real tty??

> If not then all we have to do to limit sudo use to the local keyboarder is

> set this, right?



ssh normally logs into a pty - see?



> 29076 ? * * * *S * * *0:00 sshd: brian@pts/0

> 29078 pts/0 * *Rs * * 0:00 *\_ -bash

> 29101 pts/0 * *R+ * * 0:00 * * *\_ ps xfw

> 29102 pts/0 * *S+ * * 0:00 * * *\_ less



But, it can be overridden - see man ssh

> * -t * * *Force pseudo-tty allocation. *This can be used to execute arbitrary screen-based

> * * * * * programs on a remote

> * * * * * machine, which can be very useful, e.g. when implementing menu services.

> * * * * * Multiple -t options force tty

> * * * * * allocation, even if ssh has no local tty.



sshd (note the d) has a no-pty option, but I don't know how that works.



I'm not an sudo expert - but it would seem more natural to me to

restrict sudo by group membership rather than physical location.

After all, if you trust them with access to sudo then you should trust

them not to lose their ssh key... *Note also (and you may know this)

that sudo can be very finely tuned so that it only runs certain

programs etc etc.



lastly I see from a google search that ssh can deny groups as well as users -

http://www.cyberciti.biz/tips/openssh-deny-or-restrict-access-to-users-and-groups.html

so why not put all the sudo people in a group and then deny that group thru ssh?



Obviously, test whatever you set up.



HTH

Brian


The original idea was that if you get hacked somehow (weak keys comes to mind from that programming error) then the hacker is not allowed to use su (turned off)or sudo (limited to localhost use only).


You could do what you say but that would make it so that if you needed sudo you must sign out of your normal account and sign in as a sysop. Sudo was made to avoid that in the first place.
--
Douglas E Knapp


http://sf-journey-creations.wikispot.org/Front_Page


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-19-2008, 03:56 PM
"Brian McKee"
 
Default ssh and tty and sudoers file.

On Tue, Aug 19, 2008 at 1:22 AM, Knapp <magick.crow@gmail.com> wrote:
> The original idea was that if you get hacked somehow (weak keys comes to
> mind from that programming error) then the hacker is not allowed to use su
> (turned off)or sudo (limited to localhost use only).
>
> You could do what you say but that would make it so that if you needed sudo
> you must sign out of your normal account and sign in as a sysop. Sudo was
> made to avoid that in the first place.

As opposed to signing off and moving to the console to log in locally?
Not sure I see the gain unless it's more of a single user box than a
server, but note my last suggestion

>> lastly I see from a google search that ssh can deny groups as well as users -
>> http://www.cyberciti.biz/tips/openssh-deny-or-restrict-access-to-users-and-groups.html
>> so why not put all the sudo people in a group and then deny that group thru ssh?

Assuming you only allow access via ssh remotely (and not telnet et
al), then this would do what you are looking for.

Brian

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-19-2008, 04:13 PM
Derek Broughton
 
Default ssh and tty and sudoers file.

Brian McKee wrote:

> On Tue, Aug 19, 2008 at 1:22 AM, Knapp <magick.crow@gmail.com> wrote:
>> The original idea was that if you get hacked somehow (weak keys comes to
>> mind from that programming error) then the hacker is not allowed to use
>> su (turned off)or sudo (limited to localhost use only).
>>
>> You could do what you say but that would make it so that if you needed
>> sudo you must sign out of your normal account and sign in as a sysop.
>> Sudo was made to avoid that in the first place.
>
> As opposed to signing off and moving to the console to log in locally?

No, as opposed to signing off and using a shared password to log into the
root account.

> Not sure I see the gain unless it's more of a single user box than a
> server, but note my last suggestion

And this particular advantage of sudo is only really applicable to servers.

--
derek


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-19-2008, 08:04 PM
Knapp
 
Default ssh and tty and sudoers file.

On Tue, Aug 19, 2008 at 6:13 PM, Derek Broughton <news@pointerstop.ca> wrote:

Brian McKee wrote:



> On Tue, Aug 19, 2008 at 1:22 AM, Knapp <magick.crow@gmail.com> wrote:

>> The original idea was that if you get hacked somehow (weak keys comes to

>> mind from that programming error) then the hacker is not allowed to use

>> su (turned off)or sudo (limited to localhost use only).

>>

>> You could do what you say but that would make it so that if you needed

>> sudo you must sign out of your normal account and sign in as a sysop.

>> Sudo was made to avoid that in the first place.

>

> As opposed to signing off and moving to the console to log in locally?



No, as opposed to signing off and using a shared password to log into the

root account.



> Not sure I see the gain unless it's more of a single user box than a

> server, but note my last suggestion



And this particular advantage of sudo is only really applicable to servers.



--

derek
Don't mean to be mean but the subject of this email IS ssh and tty and sudoers file.
SSH is a server.
Thus, when I am at home with my computer I want to use sudo but when I am at work I really don't need it or does anyone else that might hack into my my computer from a remote place thus blocking all people that are not at my keyboard is a good idea.


Also this computer does have about 10 others that use it. Not a lot but enough to make it sort of public.

--
Douglas E Knapp

http://sf-journey-creations.wikispot.org/Front_Page



--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-19-2008, 11:56 PM
"Brian McKee"
 
Default ssh and tty and sudoers file.

On Tue, Aug 19, 2008 at 4:04 PM, Knapp <magick.crow@gmail.com> wrote:
> Don't mean to be mean but the subject of this email IS ssh and tty and
> sudoers file.
> SSH is a server.
> Thus, when I am at home with my computer I want to use sudo but when I am at
> work I really don't need it or does anyone else that might hack into my my
> computer from a remote place thus blocking all people that are not at my
> keyboard is a good idea.
>
> Also this computer does have about 10 others that use it. Not a lot but
> enough to make it sort of public.

Hi Douglas

I think I'm being dense here. Please, let me know why my suggestion
of blocking the users in the sudo group from using the ssh server does
not fufill your needs? That restricts sudo to the console which I
thought was the goal. Or are you trying to make it 'location aware?'
e.g. you can only sudo when your computer is on a certain network?

Brian

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-20-2008, 05:38 AM
Knapp
 
Default ssh and tty and sudoers file.

On Wed, Aug 20, 2008 at 1:56 AM, Brian McKee <brian.mckee@gmail.com> wrote:

On Tue, Aug 19, 2008 at 4:04 PM, Knapp <magick.crow@gmail.com> wrote:

> Don't mean to be mean but the subject of this email IS ssh and tty and

> sudoers file.

> SSH is a server.

> Thus, when I am at home with my computer I want to use sudo but when I am at

> work I really don't need it or does anyone else that might hack into my my

> computer from a remote place thus blocking all people that are not at my

> keyboard is a good idea.

>

> Also this computer does have about 10 others that use it. Not a lot but

> enough to make it sort of public.



Hi Douglas



I think I'm being dense here. *Please, let me know why my suggestion

of blocking the users in the sudo group from using the ssh server does

not fufill your needs? *That restricts sudo to the console which I

thought was the goal. * Or are you trying to make it 'location aware?'

e.g. you can only sudo when your computer is on a certain network?



Brian
*

I like your suggestion and it would work but it would mean that I would need 2 accounts as would all the other people that might need to use sudo. This is ok but not perfect because as you said it can be limited based on location.

So what I would like is for the computer to know when I am at the home keyboard and then allow sudo but not at any other time. Perhpas this is the perfectionist in me cominng out but it also mean less users/passwords for someone to crack.


Thanks,

--
Douglas E Knapp

http://sf-journey-creations.wikispot.org/Front_Page


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-20-2008, 11:24 AM
Smoot Carl-Mitchell
 
Default ssh and tty and sudoers file.

On Wed, 2008-08-20 at 07:38 +0200, Knapp wrote:

>
> I like your suggestion and it would work but it would mean that I
> would need 2 accounts as would all the other people that might need to
> use sudo. This is ok but not perfect because as you said it can be
> limited based on location.

Take a look at this:

http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_listfile.html

You should be able to use this pam module in the /etc/pam.d/sudo
configuration to limit sudo access to a list of specific ttys.
--
Smoot Carl-Mitchell
System/Network Architect
smoot@tic.com
+1 480 922 7313
cell: +1 602 421 9005

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-20-2008, 01:46 PM
"Brian McKee"
 
Default ssh and tty and sudoers file.

On Wed, Aug 20, 2008 at 1:38 AM, Knapp <magick.crow@gmail.com> wrote:
> On Wed, Aug 20, 2008 at 1:56 AM, Brian McKee <brian.mckee@gmail.com> wrote:
>> On Tue, Aug 19, 2008 at 4:04 PM, Knapp <magick.crow@gmail.com> wrote:
>> > Thus, when I am at home with my computer I want to use sudo but when I
>> > am at
>> > work I really don't need it or does anyone else that might hack into my
>> > my
>> > computer from a remote place thus blocking all people that are not at my
>> > keyboard is a good idea.
>> blocking the users in the sudo group from using the ssh server does
>> not fufill your needs? That restricts sudo to the console which I
>> thought was the goal. Or are you trying to make it 'location aware?'
>> e.g. you can only sudo when your computer is on a certain network?
> I like your suggestion and it would work but it would mean that I would need
> 2 accounts as would all the other people that might need to use sudo.

The light dawned on me last night eventually. You want the same
people to be able to sudo at the console, ssh in, but not sudo when
using ssh! Doing it my way as you point out they need two user
accounts and part of the advantage of sudo is negated.
I don't have a solution for that :-(

Brian

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 04:29 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org