Re: avoid su in ssh sessions
From: Bill Vermillion (bv_at_wjv.comREMOVE)
Date: 05/28/04
- Next message: pablo hernandez: "Re: Windows XP to SCO Unix"
- Previous message: Rob S: "Re: DOS Disk for BTLD"
- In reply to: dpuryear_at_usa.net: "Re: avoid su in ssh sessions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Fri, 28 May 2004 16:05:01 GMT
In article <8dedb010ij1r3q9qli760qckr13kfs8qcd@4ax.com>,
<dpuryear@usa.net> wrote:
>On 27 May 2004 13:47:05 -0700, pablo@crecat.com (pablo hernandez)
>wrote:
>
>>Can I avoid user to use "su" command if they log within an ssh session ?
>>I did not see any any related thing in sshd_config.
>Not really. Consider removing world permissions on su, setting group
>ownership to a group such as wheel or su_users, and then putting only
>allowed users in wheel or su_users. Alternatively, quit using su
>entirely, start using sudo, and control user access using sudo rules.
Just a note on the 'wheel' user concept. It's a BSDism and
all it does it keep the user from becoming root >if< he knows the
root password.
The problem with the way the wheel concept is used is that it
lookes at the EUID of the invoking user, and that means in
addition to the root password all you need is the password of
a user with wheel permissions.
To be secure wheel should be changed so that the login ID and not
the EUID is used for authorization.
If you get the root password from someone who has wheel access you
can probably get their password too. Getting two passwords isn't
that much harder than getting one.
The su_users is probably more effective or as you point out sudo.
Bill
-- Bill Vermillion - bv @ wjv . com
- Next message: pablo hernandez: "Re: Windows XP to SCO Unix"
- Previous message: Rob S: "Re: DOS Disk for BTLD"
- In reply to: dpuryear_at_usa.net: "Re: avoid su in ssh sessions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
