Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 11-03-2004, 10:13 PM   #1
Registered: Mar 2004
Location: uk
Distribution: fedora2, slackware10
Posts: 54

Rep: Reputation: 15
how to secure ssh


1. I don't want to disable direct root login from ssh client, that means only users can connect via ssh, and su to root
2. I want to disable some users to issue a "su" command, so that even they are log into the system, they cann't get to log in as root

please tell how exactly I can achieve this

Old 11-03-2004, 11:13 PM   #2
Senior Member
Registered: Oct 2003
Location: hopefully not here
Distribution: Gentoo
Posts: 2,038

Rep: Reputation: 51
1) look at the configuration file for sshd , theres a option for disallowing root logins, also disable ssh1 as its insecure, and also use encryption only, no plain text (thus why ssh1 you want gone)

2) all users that are allowed to use "su" they have to be a member of group "wheel" (at least on most distros)
Old 11-03-2004, 11:28 PM   #3
Senior Member
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 75
1. Huh? I think you're talking about setting PermitRootLogin no in /etc/ssh/sshd_config. It's pretty difficult to tell from your wording what you mean.

2. You can remove execution permissions from the /usr/bin/su command, i.e.
# chmod o-rx /usr/bin/su

For the users who are allowed to execute su, you can add them to whatever group has ownership of the su command and make sure that it's readable and executable by the group.
Old 11-04-2004, 07:16 AM   #4
Registered: Nov 2004
Distribution: FC1, Gentoo, Mdk 8.1, RH7-8-9, Knoppix, Zuarus rom 3.13
Posts: 98

Rep: Reputation: 15
like all things in linux there are several ways to accomplish the same goal.

This is just another alternative and it's one I happen to like. In some distro's the ssh / wheel group does not perform as expected due to pam changes. This will ensure that no matter what you'll get what you want which is only allow people in a certain group to su. Even people with the correct root password can not su to root unless they are in your new special group. I think this is what you are looking for yes?

Create the "root_members" group:
groupadd root_members

Add user accounts to the "root_members" group. E.g.:
usermod -G root_members $user_account

The /etc/pam.d/su file should read like:
auth sufficient /lib/security/

auth required /lib/security/ service=system-auth
auth sufficient /lib/security/ service=root-members
auth required /lib/security/

account required /lib/security/ service=system-auth
password required /lib/security/ service=system-auth
session required /lib/security/ service=system-auth
session optional /lib/security/

The /etc/pam.d/root-members file, which is referenced in /etc/pam.d/su, should read like:
auth required /lib/security/ use_uid group=root_members
auth required /lib/security/ item=user sense=allow onerr=fail file=/etc/membergroups/root

The /etc/membergroups/root file, which is referenced in /etc/pam.d/root-members, should have only one entry. Note that you first have to create the directory /etc/membergroups. You can also put the file into another directory. You just need to change the path in /etc/pam.d/root-members.


Now you can test and check if only people in the "root_members" group can su to root.



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
How Secure is SSH? AvatarofVirgo Linux - Security 8 08-14-2011 12:37 PM
secure connection without SSH Mr. DM Linux - General 3 05-17-2005 04:53 AM
Secure x-forwarding over SSH postrational Linux - Networking 1 02-01-2005 11:04 AM
How can I test if my SSH is secure nutthick Linux - Security 2 12-15-2004 10:59 AM
unattended, *secure* ssh backups offline Linux - Security 1 10-10-2004 09:32 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:47 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration