Re: Authenticate `su -` through PAM and SSH Agent
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
jlist@xxxxxxxxxx wrote:
I don't want to allow root logins at all over ssh (is localhost treated
specially then?). Security and all. I know I can't do it with the
default PAM plugins available, but if anybody has a link to where a
plugin would give that functionality that'd be great. If nobody knows of
one, I'd really appreciate links to a good tutorial on how PAM plugins
work and a tutorial/documentation of the ssh-agent workings/protocol. I
may find time to write one myself this coming summer.
Before you start work on the project, you should work out the logic of
how this is supposed to work.
If google is any indication, ideas like this one float around from time
to time, but the existing pam_ssh module doesn't do quite what you're
describing.
So, how would you support what you want to do, logically? First of all,
you want to be able to log in to a user account via ssh using keys,
right? So, if "user1" is your account, you'd have to install the public
key in that user's home directory on the host to which you want to log
in. That's easy enough, and supported by the software that already
exists. Now, once there, you want to be able to "su" to root using ssh
keys. How's the system going to handle that? Private keys can only be
authenticated against the public key, so where's the public key that the
system is going to use? If it's in your own home directory, then any
user can add a key and "su" to root. If it's in the root user's home
directory, then what you want is not really functionally different from
using "ssh root@localhost".
The only real gain that you get is disallowing remote root logins. If
you're concerned about brute-force attacks, you're better off allowing
remote root logins, but not allowing password logins. Turn off password
logins, and allow only key based authentication. You could improve
security further by configuring your firewall so that only connections
from specific IP addresses are allowed.
[Index of Archives]
[Older Fedora Users]
[Fedora Announce]
[Fedora Package Announce]
[EPEL Announce]
[Fedora Magazine]
[Fedora News]
[Fedora Summer Coding]
[Fedora Laptop]
[Fedora Cloud]
[Fedora Advisory Board]
[Fedora Education]
[Fedora Security]
[Fedora Scitech]
[Fedora Robotics]
[Fedora Maintainers]
[Fedora Infrastructure]
[Fedora Websites]
[Anaconda Devel]
[Fedora Devel Java]
[Fedora Legacy]
[Fedora Desktop]
[Fedora Fonts]
[ATA RAID]
[Fedora Marketing]
[Fedora Management Tools]
[Fedora Mentors]
[SSH]
[Fedora Package Review]
[Fedora R Devel]
[Fedora PHP Devel]
[Kickstart]
[Fedora Music]
[Fedora Packaging]
[Centos]
[Fedora SELinux]
[Fedora Legal]
[Fedora Kernel]
[Fedora OCaml]
[Coolkey]
[Virtualization Tools]
[ET Management Tools]
[Yum Users]
[Tux]
[Yosemite News]
[Gnome Users]
[KDE Users]
[Fedora Art]
[Fedora Docs]
[Asterisk PBX]
[Fedora Sparc]
[Fedora Universal Network Connector]
[Libvirt Users]
[Fedora ARM]