To prevent direct root login, you specify PermitRootLogin no in the /etc/ssh/sshd_config file. It will have no effect other than trying to come in as root via SSH.
If you're talking about joe doing an actual "su sam" command, and not "sudo su sam" the answer is easy. Have sam give joe his password, and don't give him the root password. If you're talking about "sudo su sam" then you can make that an explicit command they're allowed in /etc/sudoers. Not that I recommend that. If there are things joe needs to be able to as sam, you can set up /etc/sudoers to allow those commands to be "runas" sam when issued by joe. Mark Post -----Original Message----- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] Behalf Of James Melin Sent: Thursday, December 07, 2006 5:02 PM To: [email protected] Subject: Root, SSH and Console login Hello List! I've been wondering how one might prevent SSH logon to root, and still have the ability to logon at the console logon presented to the VM guest ID. We've implemented sudo quite effectively, but we're not sure how to lock down direct SSH root logon and if it would actually have any impact against console logon which we would want to keep in case of epic disaster. Also, is there a way to allow user 'joe' to su to user 'sam' but NOT allow him to su to root, thus bypassing sudo? So far all I've come up with on restricting su is an all or only root approach. Any insight appreciated. Thanks! -J ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
