Fedora Users — Re: Authenticate `su -` through PAM and SSH Agent

jlist@xxxxxxxxxx wrote:

I don't want to allow root logins at all over ssh (is localhost treatedspecially then?). Security and all. I know I can't do it with thedefault PAM plugins available, but if anybody has a link to where aplugin would give that functionality that'd be great. If nobody knows ofone, I'd really appreciate links to a good tutorial on how PAM pluginswork and a tutorial/documentation of the ssh-agent workings/protocol. Imay find time to write one myself this coming summer.

Before you start work on the project, you should work out the logic ofhow this is supposed to work.

If google is any indication, ideas like this one float around from timeto time, but the existing pam_ssh module doesn't do quite what you'redescribing.

So, how would you support what you want to do, logically? First of all,you want to be able to log in to a user account via ssh using keys,right? So, if "user1" is your account, you'd have to install the publickey in that user's home directory on the host to which you want to login. That's easy enough, and supported by the software that alreadyexists. Now, once there, you want to be able to "su" to root using sshkeys. How's the system going to handle that? Private keys can only beauthenticated against the public key, so where's the public key that thesystem is going to use? If it's in your own home directory, then anyuser can add a key and "su" to root. If it's in the root user's homedirectory, then what you want is not really functionally different fromusing "ssh root@localhost".

The only real gain that you get is disallowing remote root logins. Ifyou're concerned about brute-force attacks, you're better off allowingremote root logins, but not allowing password logins. Turn off passwordlogins, and allow only key based authentication. You could improvesecurity further by configuring your firewall so that only connectionsfrom specific IP addresses are allowed.