On Tue, Aug 04, 2020 at 11:44:04AM +0200, Marco Möller wrote: > On 04.08.20 10:59, to...@tuxteam.de wrote: > > On Tue, Aug 04, 2020 at 09:47:24AM +0200, Marco Möller wrote: > > > Is it possible (how?) to restrict a user to only be allowed to make > > > use of its sudo usage permission if working at the physical console, > > > > See pam_securetty(8) for that. Sorry I can't give you some step-by-step > > account. > > > > > not granting to this user sudo permission when i.e. logged in via > > > ssh? > > > > Now you have to decide: You want to *only allow root login on console* > > or to *disallow root login for ssh*? > > > > For the first, PAM is the right tool. The second should be default on > > most modern Linux distros (yell at them if it ain't ;-) and is governed > > by the sshd configuration, typically in /etc/ssh/sshd_config and > > documented in sshd_config(5). > > > > Cheers > > - t > > > > Sorry, I will not have been clear enough, or did not understand your answer > clearly, ssh and pam are both new to me, and I also never configured sudo > myself. > As my root account is disabled, I do all administration as the "normal" user > with the help of sudo for running administrative commands. The user "root" > shall not login nowhere, not at the physical console and not by ssh, never. > Only the "normal" user should be allowed to log in to the system. The > "normal" user then of course needs to keep the right to use "sudo" if > working at the physical console (being logged in at a console (CTRL+ALT+F2), > or logged in via sddm or gdm, or having opened a terminal within the X11 or > Wayland session, etc.), but for security the access for this "normal" user > to "sudo" privileges shall not be granted if this user would work at the > system from remote, for instance logged in via ssh. > I could imagine that it is possible to kind of generally block all sudo (and > also su) functionality in the system for everybody as soon as any remote > (incoming) login to ssh is detected, and automatically allowing sudo > functionality again if no more incoming ssh to the computer exists: > if remote (incoming) connection established, then disable sudo and su > if no remote (incoming) connection established, then switch on sudo and su > If such security mechanism could be done in a reliable way to only effect > the incoming connection, while a parallel local (physically sitting at the > computer) user could continue to work with sudo, then this would be fine, > but assuming that this might be much more difficult to configure, especially > if remote login and physical login could be the same user (same user ID), I > am open to the drastic but simple version as described above. >
Have you considered to have one account allowed to ssh in and one account allowed to sudo? You say you are the only user. That seems like an simple solution. -H -- Henning Follmann | hfollm...@itcfollmann.com