One way is the wheel group in /etc/group.
Uncomment the following line in /etc/pam.d/su:
auth required /lib/security/$ISA/pam_wheel.so use_uid
Uncommenting this line allows only the users in the wheel group to
become root by using
the su command and entering the root password. All other users will
receive a message
stating the password is incorrect.
You will also want to create the wheel group in /etc/group and add users
to it if it does not exist (CentOS 4 I know does but some older redhat
implementations did not if I recall correctly).
I am unsure of how this interacts with sudo though. If you allow users
to use sudo command, make sure they cannot 'sudo su root'.
-Greg
> -----Original Message-----
> From: centos-bounces@xxxxxxxxxx
> [mailto:centos-bounces@xxxxxxxxxx] On Behalf Of M. Fioretti
> Sent: Wednesday, June 14, 2006 11:57 AM
> To: centos@xxxxxxxxxx
> Subject: [CentOS] How to create a secure user only for ssh login?
>
> Hello,
>
> I've read on several howtos that one way to make ssh more secure, or
> at least reduce the damage if somebody breaks in, is to NOT allow
> direct ssh login from root, but allow logins from another user. So you
> have to know two passwords in order to do any real damage.
>
> Does this make sense? IF yes, what is the right way to create an user
> only for this purpose, that is one that can only login to give me a
> local prompt to become root, but has no privilege, no possibility to
> create files, or do anything at all?
>
> TIA,
> Marco
>
> --
> Marco Fioretti mfioretti, at the server mclink.it
> Fedora Core 3 for low memory http://www.rule-project.org/
>
> Don't you wish you had more energy... or less ambition?
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
>
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
