Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I don't see anything in the pam_wheel(8) documentation that indicates you can stack tests in that way. You can try setting both lines as sufficient but I do not think that will enforce the requirement correctly.
Might want to just pick a single group for the privilege and keep it that way.
I never thought of it that way. I assumed that each call to pam_wheel.so (or any plugin) was like a function call. You could call it as much as you wanted and it would just return a result.
I tried setting them both to sufficient as you suggested, but as you guessed, it did not work. Everyone can su then.
My original intention is to have a only single user be able to ssh into the box (by editing the sshd_config file and putting their name into the AllowUsers line). This user would be a regular user (among several who have accounts on the machine) who does not have admin privileges. I want this user to be able to su to another account that has sudo privileges. I don't want any other "regular" users to even have an opportunity to try to su for paranoid security reasons. I thought I would use PAM to control this but I may be trying in the wrong place. Another poster here suggested I edit the sudoers file to accomplish this but I couldn't figure out how to deny su privileges to all the other users.
Maybe I am being unnecessarily complicated here? Should I even have this two step process (ssh in as an unprivileged user and then su to an admin)? I'm just worried that one of the other users will have crappy password etiquette and then an unauthorized person could try to su up to admin.
That said... if I limit ssh to a single user (even an admin user) and I am not running any of the LAMP software (only thing running is netatalk, avahi and ssh), maybe I am being unnecessarily paranoid. Maybe I should just focus on making the firewall very tight. Don't know. Any opinions on this would be welcome.
I never thought of it that way. I assumed that each call to pam_wheel.so (or any plugin) was like a function call. You could call it as much as you wanted and it would just return a result.
The conceptual problem is you need for either group to be required, and stacking the tests means the result can never be true (because it will read as both groups). As you discovered, setting both to sufficient does not get to the desired result either. Unfortunately (AFAIK), the module does not accept a list of groups on a single test.
Quote:
Originally Posted by bvz
My original intention is to have a only single user be able to ssh into the box (by editing the sshd_config file and putting their name into the AllowUsers line).
Good idea.
Quote:
Originally Posted by bvz
Should I even have this two step process (ssh in as an unprivileged user and then su to an admin)? I'm just worried that one of the other users will have crappy password etiquette and then an unauthorized person could try to su up to admin.
IMO, you're better off nipping this problem in the bud by enforcing strong passwords system wide. The pam_passwdqc module is great for that.
A regular user trying to guess root's passphrase of - "Tim:: went to the market and the monkey stabbed him" - is going to have a difficult time. And you're going to see the failed attempts in the logs. (If you're not watching log reports, now is the time to start doing so.)
Thanks for the reply. Everything you said makes sense. I'll skip trying to limit su and make sure that everyone has a decent password like you suggest (using pam_passwdqc). I'm new to setting up a server, and even though this is just a small one with limited "value" regarding the data on it, I am pretty paranoid.
My intention is to lock it down to the absolute minimum amount of accessibility outside my local network. So a single user will be allowed to ssh (on a non-standard port), a different user will be allowed to ftp (via vsftpd and a virtual user account) and everyone else is allowed access only via the netatalk module from the local network (enforced via iptables). I also plan on installing port-knocking software (even though that is security via obscurity, the added obscurity can only help, right?)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.