[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Feb 17, 2016 at 02:24:02PM +0000, Darac Marjal wrote:
> On Wed, Feb 17, 2016 at 08:08:26AM -0600, Tom Browder wrote:
> >I have several remote Debian 7 servers and would like to secure it in
> >the following manner:
> >
> >1. root will not be allowed any external access (access is only via a
> >user becoming root while logged in)
> 
> Ensure all users who may be allowed super-user access are in
> /etc/sudoers. Then run "sudo passwd -l". This will LOCK the password
> for root (that is, set the encrypted password to a value which
> cannot be matched. Additionally, the locked password may not be
> changed).
>
> In this manner, root cannot be logged into directly, but users can
> still elevate to root by using sudo.

And what do you do when the system drops you into single user mode
(because, for example, the root partition is in trouble) and asks
you for the root password?

(Yeah, there are ways around it -- but you should tell people about
them *before* you send them this route :-)

regards
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlbEf9oACgkQBcgs9XrR2kaZlQCfXvfgeqzdlXPEG46T1YXMNVhh
ZpMAnRObltaxMIV0Unnbo3rnj2pJ81UM
=KEGO
-----END PGP SIGNATURE-----
Reply to: