LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   how to secure ssh (https://www.linuxquestions.org/questions/linux-security-4/how-to-secure-ssh-250869/)

chongluo 11-03-2004 10:13 PM
how to secure ssh
 
hi,

1. I don't want to disable direct root login from ssh client, that means only users can connect via ssh, and su to root
2. I want to disable some users to issue a "su" command, so that even they are log into the system, they cann't get to log in as root

please tell how exactly I can achieve this

thanks

SciYro 11-03-2004 11:13 PM
1) look at the configuration file for sshd , theres a option for disallowing root logins, also disable ssh1 as its insecure, and also use encryption only, no plain text (thus why ssh1 you want gone)

2) all users that are allowed to use "su" they have to be a member of group "wheel" (at least on most distros)

chort 11-03-2004 11:28 PM
1. Huh? I think you're talking about setting PermitRootLogin no in /etc/ssh/sshd_config. It's pretty difficult to tell from your wording what you mean.

2. You can remove execution permissions from the /usr/bin/su command, i.e.
# chmod o-rx /usr/bin/su

For the users who are allowed to execute su, you can add them to whatever group has ownership of the su command and make sure that it's readable and executable by the group.

bignerd 11-04-2004 07:16 AM
like all things in linux there are several ways to accomplish the same goal.

This is just another alternative and it's one I happen to like. In some distro's the ssh / wheel group does not perform as expected due to pam changes. This will ensure that no matter what you'll get what you want which is only allow people in a certain group to su. Even people with the correct root password can not su to root unless they are in your new special group. I think this is what you are looking for yes?

Create the "root_members" group:
groupadd root_members

Add user accounts to the "root_members" group. E.g.:
usermod -G root_members $user_account


The /etc/pam.d/su file should read like:
auth sufficient /lib/security/pam_rootok.so

auth required /lib/security/pam_stack.so service=system-auth
auth sufficient /lib/security/pam_stack.so service=root-members
auth required /lib/security/pam_deny.so

account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_xauth.so


The /etc/pam.d/root-members file, which is referenced in /etc/pam.d/su, should read like:
auth required /lib/security/pam_wheel.so use_uid group=root_members
auth required /lib/security/pam_listfile.so item=user sense=allow onerr=fail file=/etc/membergroups/root


The /etc/membergroups/root file, which is referenced in /etc/pam.d/root-members, should have only one entry. Note that you first have to create the directory /etc/membergroups. You can also put the file into another directory. You just need to change the path in /etc/pam.d/root-members.

root


Now you can test and check if only people in the "root_members" group can su to root.

-b


All times are GMT -5. The time now is 07:34 PM.