RE: [CentOS] How to create a secure user only for ssh login?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



One way is the wheel group in /etc/group.

Uncomment the following line in /etc/pam.d/su:

auth required /lib/security/$ISA/pam_wheel.so use_uid

Uncommenting this line allows only the users in the wheel group to
become root by using
the su command and entering the root password. All other users will
receive a message
stating the password is incorrect.

You will also want to create the wheel group in /etc/group and add users
to it if it does not exist (CentOS 4 I know does but some older redhat
implementations did not if I recall correctly).

I am unsure of how this interacts with sudo though. If you allow users
to use sudo command, make sure they cannot 'sudo su root'.

-Greg

> -----Original Message-----
> From: centos-bounces@xxxxxxxxxx 
> [mailto:centos-bounces@xxxxxxxxxx] On Behalf Of M. Fioretti
> Sent: Wednesday, June 14, 2006 11:57 AM
> To: centos@xxxxxxxxxx
> Subject: [CentOS] How to create a secure user only for ssh login?
> 
> Hello,
> 
> I've read on several howtos that one way to make ssh more secure, or
> at least reduce the damage if somebody breaks in, is to NOT allow
> direct ssh login from root, but allow logins from another user. So you
> have to know two passwords in order to do any real damage.
> 
> Does this make sense? IF yes, what is the right way to create an user
> only for this purpose, that is one that can only login to give me a
> local prompt to become root, but has no privilege, no possibility to
> create files, or do anything at all?
> 
> TIA,
> 	Marco
> 
> -- 
> Marco Fioretti                    mfioretti, at the server mclink.it
> Fedora Core 3 for low memory      http://www.rule-project.org/
> 
> Don't you wish you had more energy... or less ambition?
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
> 
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux