how to secure ssh
hi,
1. I don't want to disable direct root login from ssh client, that means only users can connect via ssh, and su to root 2. I want to disable some users to issue a "su" command, so that even they are log into the system, they cann't get to log in as root please tell how exactly I can achieve this thanks |
1) look at the configuration file for sshd , theres a option for disallowing root logins, also disable ssh1 as its insecure, and also use encryption only, no plain text (thus why ssh1 you want gone)
2) all users that are allowed to use "su" they have to be a member of group "wheel" (at least on most distros) |
1. Huh? I think you're talking about setting PermitRootLogin no in /etc/ssh/sshd_config. It's pretty difficult to tell from your wording what you mean.
2. You can remove execution permissions from the /usr/bin/su command, i.e. # chmod o-rx /usr/bin/su For the users who are allowed to execute su, you can add them to whatever group has ownership of the su command and make sure that it's readable and executable by the group. |
like all things in linux there are several ways to accomplish the same goal.
This is just another alternative and it's one I happen to like. In some distro's the ssh / wheel group does not perform as expected due to pam changes. This will ensure that no matter what you'll get what you want which is only allow people in a certain group to su. Even people with the correct root password can not su to root unless they are in your new special group. I think this is what you are looking for yes? Create the "root_members" group: groupadd root_members Add user accounts to the "root_members" group. E.g.: usermod -G root_members $user_account The /etc/pam.d/su file should read like: auth sufficient /lib/security/pam_rootok.so auth required /lib/security/pam_stack.so service=system-auth auth sufficient /lib/security/pam_stack.so service=root-members auth required /lib/security/pam_deny.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_xauth.so The /etc/pam.d/root-members file, which is referenced in /etc/pam.d/su, should read like: auth required /lib/security/pam_wheel.so use_uid group=root_members auth required /lib/security/pam_listfile.so item=user sense=allow onerr=fail file=/etc/membergroups/root The /etc/membergroups/root file, which is referenced in /etc/pam.d/root-members, should have only one entry. Note that you first have to create the directory /etc/membergroups. You can also put the file into another directory. You just need to change the path in /etc/pam.d/root-members. root Now you can test and check if only people in the "root_members" group can su to root. -b |
All times are GMT -5. The time now is 07:34 PM. |