Re: How to restrict normal ssh user to become root ?
On Fri 13 Apr 2012 at 10:45:18 +0530, J. Bakshi wrote: > Many many thanks. Based on your clue I get this link > > http://mindref.blogspot.in/2010/04/protect-su-with-pamwheel.html > > This is exactly what I have been looking for long. Your users A and B are given the root password. Users X and Y are not so they can only acquire it through A or B. If A is slack in looking after the root password there is no reason to believe she would be any more careful in guarding the password for her own account. X can now add himself to the wheel group, Y is actually well ahead of you. She knew about pam_wheel and has set it up to su without a password. She has also devised a way of hiding what she has done from you. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120413111856.GU16316@desktop
Re: How to restrict normal ssh user to become root ?
On Thu, 12 Apr 2012 14:38:30 +0200 Armin Haas wrote: > For su, maybe using pam_wheel.so in /etc/pam.d/su is what you are > looking for. > > sudo has its own conf file(s) (/etc/sudoers and all files in > /etc/sudoers.d/) in addition to /etc/pam.d/sudo > > Consider the possibility that the users you don't trust and who know the > root password already installed a backdoor on your box. > > Cheers > > Armin Many many thanks. Based on your clue I get this link http://mindref.blogspot.in/2010/04/protect-su-with-pamwheel.html This is exactly what I have been looking for long. Once again Thanks -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120413104518.542da...@shiva.selfip.org
Re: How to restrict normal ssh user to become root ?
For su, maybe using pam_wheel.so in /etc/pam.d/su is what you are looking for. sudo has its own conf file(s) (/etc/sudoers and all files in /etc/sudoers.d/) in addition to /etc/pam.d/sudo Consider the possibility that the users you don't trust and who know the root password already installed a backdoor on your box. Cheers Armin signature.asc Description: Digital signature
Re: How to restrict normal ssh user to become root ?
On Jo, 12 apr 12, 11:22:04, J. Bakshi wrote: > Hello list, > > How can I prevent general ssh users not to have su or sudo power ? > Just they know the root password by any chance > In the remote box remote root login is disable and one can only > login as normal user and then need to do su to get root access. Only few > users know root password. How can I prevent the other login to use su / sudo > even they know root password by any means ? Disable the root password completely and use only 'sudo'. Kind regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: How to restrict normal ssh user to become root ?
On Thu 12 Apr 2012 at 11:22:04 +0530, J. Bakshi wrote: > How can I prevent general ssh users not to have su or sudo power ? > Just they know the root password by any chance > In the remote box remote root login is disable and one can only > login as normal user and then need to do su to get root access. Only few > users know root password. How can I prevent the other login to use su / sudo > even they know root password by any means ? You are attempting to solve a social problem using technical means. This will fail. If you do not trust the users who have the root password they should not be in possession of it. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120412090642.GQ16316@desktop
How to restrict normal ssh user to become root ?
Hello list, How can I prevent general ssh users not to have su or sudo power ? Just they know the root password by any chance In the remote box remote root login is disable and one can only login as normal user and then need to do su to get root access. Only few users know root password. How can I prevent the other login to use su / sudo even they know root password by any means ? Thanks -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120412112204.0f54a...@shiva.selfip.org