Hi. On Tue, Aug 04, 2020 at 04:20:58PM -0400, Dan Ritter wrote: > Reco wrote: > > On Tue, Aug 04, 2020 at 09:47:24AM +0200, Marco M?ller wrote: > > > Is it possible (how?) to restrict a user to only be allowed to make use > > > of its sudo usage permission if working at the physical console, not > > > granting to this > > > user sudo permission when i.e. logged in via ssh? To keep it simple, I > > > could imagine to even have all sudo for all users deactivated > > > automatically as soon as > > > a remote connection by ANY user is detected. > > > > Yes. It's an unusual (some may say - dangerous) thing that you're > > asking, so prepare to the unusual side effects. > > > > --- a/etc/pam.d/sudo 2020-08-04 18:40:26.528699633 +0000 > > +++ b/etc/pam.d/sudo 2020-08-04 18:40:26.296579395 +0000 > > @@ -1,5 +1,6 @@ > > #%PAM-1.0 > > > > @include common-auth > > +auth required pam_succeed_if.so tty =~ /dev/tty* > > @include common-account > > @include common-session-noninteractive > > > > > > I'm assuming that by "physical console" you mean that lovely > > conventional virtual terminal kernel facility (i.e. that funny letters > > that appear on your screen then you press Ctrl+Alt+F2). Be warned that > > in the current form it *will* break sudo for anyone, root included, for > > any process which "tty" attribute does not match /dev/tty*, be it ssh, > > screen, tmux, and (possibly) X/Wayland sessions. > > Worked for me in the case of real servers, just in case. > > It should also match for serial connections, including modem users, > should you have any of such. And USB serial terminals.
I consider it a feature, not a deficiency. It cannot be called a server unless it features a RS-232-based console connection typically assigned to ttyS0, and locking myself out of it is not something that I'd do. But, as they say, patches are welcome. Reco