--- Greg Wooledge <[EMAIL PROTECTED]> wrote: > On Sun, Aug 27, 2006 at 07:28:06AM -0400, Jaqui > Greenlees wrote: > > In a recent discussion about secure ssh use the > idea > > of having ssh export the authentication method as > a > > shll variable. The idea being to limit su access > to > > only those who have used a public / private key > pair > > for authentication. > > What prevents the black-hat cracker from simply > setting that environment > variable after getting in using a password?
The fact that access to su is granted by authentication to start the bash session, not when su is invoked. the shell variable is only invoked by the shell during the session start process to limit or allow the access. > Although it would be more work, you might consider > developing a system > that grants group membership (e.g. in the "wheel" > group) after appropriate > authentication. Then restrict "su" to those who are > in that group. In effect, I'm wanting to do exactly this, by using the authentication method for the ssh tunnel to determine the group membership. only thos using the ky pair gt the access to admin tools. This limits remote admin to those you have set up the key pair access for on the system, yt doesn't stop use of the other authentication methods for remote access, only limits their access to the system admin tools. This type of functionality would bnefit large networks or web hosting companies that do allow ssh access to account holders, yet not interfere with the remote access for administration staff tasks. A trusted and non trusted account holder status. ( trusted are the staff, non trusted ar the clients ) __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
