LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-03-2004, 11:13 PM   #1
chongluo
Member
 
Registered: Mar 2004
Location: uk
Distribution: fedora2, slackware10
Posts: 54

Rep: Reputation: 15
how to secure ssh


hi,

1. I don't want to disable direct root login from ssh client, that means only users can connect via ssh, and su to root
2. I want to disable some users to issue a "su" command, so that even they are log into the system, they cann't get to log in as root

please tell how exactly I can achieve this

thanks
 
Old 11-04-2004, 12:13 AM   #2
SciYro
Senior Member
 
Registered: Oct 2003
Location: hopefully not here
Distribution: Gentoo
Posts: 2,038

Rep: Reputation: 51
1) look at the configuration file for sshd , theres a option for disallowing root logins, also disable ssh1 as its insecure, and also use encryption only, no plain text (thus why ssh1 you want gone)

2) all users that are allowed to use "su" they have to be a member of group "wheel" (at least on most distros)
 
Old 11-04-2004, 12:28 AM   #3
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
1. Huh? I think you're talking about setting PermitRootLogin no in /etc/ssh/sshd_config. It's pretty difficult to tell from your wording what you mean.

2. You can remove execution permissions from the /usr/bin/su command, i.e.
# chmod o-rx /usr/bin/su

For the users who are allowed to execute su, you can add them to whatever group has ownership of the su command and make sure that it's readable and executable by the group.
 
Old 11-04-2004, 08:16 AM   #4
bignerd
Member
 
Registered: Nov 2004
Distribution: FC1, Gentoo, Mdk 8.1, RH7-8-9, Knoppix, Zuarus rom 3.13
Posts: 98

Rep: Reputation: 15
like all things in linux there are several ways to accomplish the same goal.

This is just another alternative and it's one I happen to like. In some distro's the ssh / wheel group does not perform as expected due to pam changes. This will ensure that no matter what you'll get what you want which is only allow people in a certain group to su. Even people with the correct root password can not su to root unless they are in your new special group. I think this is what you are looking for yes?

Create the "root_members" group:
groupadd root_members

Add user accounts to the "root_members" group. E.g.:
usermod -G root_members $user_account


The /etc/pam.d/su file should read like:
auth sufficient /lib/security/pam_rootok.so

auth required /lib/security/pam_stack.so service=system-auth
auth sufficient /lib/security/pam_stack.so service=root-members
auth required /lib/security/pam_deny.so

account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_xauth.so


The /etc/pam.d/root-members file, which is referenced in /etc/pam.d/su, should read like:
auth required /lib/security/pam_wheel.so use_uid group=root_members
auth required /lib/security/pam_listfile.so item=user sense=allow onerr=fail file=/etc/membergroups/root


The /etc/membergroups/root file, which is referenced in /etc/pam.d/root-members, should have only one entry. Note that you first have to create the directory /etc/membergroups. You can also put the file into another directory. You just need to change the path in /etc/pam.d/root-members.

root


Now you can test and check if only people in the "root_members" group can su to root.

-b
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How Secure is SSH? AvatarofVirgo Linux - Security 8 08-14-2011 01:37 PM
secure connection without SSH Mr. DM Linux - General 3 05-17-2005 05:53 AM
Secure x-forwarding over SSH postrational Linux - Networking 1 02-01-2005 12:04 PM
How can I test if my SSH is secure nutthick Linux - Security 2 12-15-2004 11:59 AM
unattended, *secure* ssh backups offline Linux - Security 1 10-10-2004 10:32 PM


All times are GMT -5. The time now is 05:44 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration