On 7/14/22 8:48 AM, Neil Bothwick wrote:
Is this user only used as a gateway to root access, or can you set up such a user? If so you could use key-based authentication for that user, with a passphrase, and add command="/bin/su --login" to the authorized_keys line. That way you still need three pieces of information,
Be mindful that despite the fact that this protects things on the surface, it is / can be a way to boot strap changing this.
After all, nothing about this forced command prevents the user from using the acquired root access to modify the ~/.ssh/authorized_keys file enforcing the command.
This is one of the pitfalls that I alluded to in my earlier reply about security vs automation. Quite simply, this is NOT security as it's trivial to use the access (su -) to gain more access (edit the ~/.ssh/authorized_keys file).
replacing the user's password with the user's key passphrase.
This is another slippery slope. SSH key pass phrases can be brute forced in an offline fashion. Conversely, system passwords are more of an online attack. Assuming that standard system protections are in place for /etc/shadow*. -- It's easier to get a copy of someone's private SSH key file, especially if they are somewhat lax about it's security believing that the passphrase will protect it.
-- Grant. . . . unix || die
