Re: Authenticate `su -` through PAM and SSH Agent

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



jlist@xxxxxxxxxx wrote:
I don't want to allow root logins at all over ssh (is localhost treated specially then?). Security and all. I know I can't do it with the default PAM plugins available, but if anybody has a link to where a plugin would give that functionality that'd be great. If nobody knows of one, I'd really appreciate links to a good tutorial on how PAM plugins work and a tutorial/documentation of the ssh-agent workings/protocol. I may find time to write one myself this coming summer.

Before you start work on the project, you should work out the logic of how this is supposed to work.

If google is any indication, ideas like this one float around from time to time, but the existing pam_ssh module doesn't do quite what you're describing.

So, how would you support what you want to do, logically? First of all, you want to be able to log in to a user account via ssh using keys, right? So, if "user1" is your account, you'd have to install the public key in that user's home directory on the host to which you want to log in. That's easy enough, and supported by the software that already exists. Now, once there, you want to be able to "su" to root using ssh keys. How's the system going to handle that? Private keys can only be authenticated against the public key, so where's the public key that the system is going to use? If it's in your own home directory, then any user can add a key and "su" to root. If it's in the root user's home directory, then what you want is not really functionally different from using "ssh root@localhost".

The only real gain that you get is disallowing remote root logins. If you're concerned about brute-force attacks, you're better off allowing remote root logins, but not allowing password logins. Turn off password logins, and allow only key based authentication. You could improve security further by configuring your firewall so that only connections from specific IP addresses are allowed.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux