Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
For security reasons i have disabled the root login for ssh access,i would like create individual user accounts and allow the user to ssh with their account and then su to root so that i will have track who was logged at what time.i want the users to change their password when try first login through ssh.how do allow the user to change the password....please advise.
Distribution: RedHat, Slackware, Experimenting with FreeBSD
Posts: 222
Rep:
Plus if your users have root privileges, they will be able to edit sshd_config to re-allow direct access via the root account. So this defeats the purpose of forcing an su.
A better solution would be to allow execution of specific commands with sudo and keep root access for yourself.
I second the sudo motion. Much more sensible. And no, I don't
mean a passwordless sudo for ANY command like is common in some
currently very popular distro (/me coughs).
Using sudo will log each command run as root, not just log when a person logs into ssh. It is difficult to configure sudoers so that all back doors are plugged preventing something like "sudo su -". For example, if the user is allowed to edit config files, then they will need to run a program like vim. Vim has a shell escape unless you start it as rvim, which would prevent the shell escape. A lot depends on how well you can trust the other users. Also, you can control who can use sudo by only allowing members of the "wheel" group to use it. This would allow regular users to access there accounts via ssh.
Not allowing root ssh logins is a common security measure. I'd recommend doing it simply for the internet security benefit alone. If you only have a handful of users with ssh access, I'd also recommend using "Allow Users" in the /etc/ssh/sshd_config to restrict logins from those users. Also enforce good passwords on your host.
This will eliminate logins to system users that script kiddies try. Also, don't add common users names allowed in the "allow users" list, such as bob or mike or the most common "God".
I am sorry my mistake,i couldn't convey my issue correctly.By default i have root login for ssh access,i have disabled it in /etc/ssh/sshd_config ,i have create individual accounts for the users with default password,i want the users to change the password when they ssh for the first time and how do i give permission for a user to ssh access.Kindly advise
Technically, the "password" program is a suid program. However, it checks the real UID of the user to determine whether it is OK to change other users passwords. It is an suid program because altering /etc/passwd requires root permissions.
@ jschiwal: I'm not sure if that was destined to me. By "access to the root account" I meant being able to log in as root. I did not consider suid binaries owned by root to be "access to the root account".
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.