[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [OT] sudo: restrict to physical console only?

On Tue, Aug 04, 2020 at 11:44:04AM +0200, Marco Möller wrote:
> On 04.08.20 10:59, tomas@tuxteam.de wrote:
> > On Tue, Aug 04, 2020 at 09:47:24AM +0200, Marco Möller wrote:
> > > Is it possible (how?) to restrict a user to only be allowed to make
> > > use of its sudo usage permission if working at the physical console,
> > 
> > See pam_securetty(8) for that. Sorry I can't give you some step-by-step
> > account.
> > 
> > > not granting to this user sudo permission when i.e. logged in via
> > > ssh?
> > 
> > Now you have to decide: You want to *only allow root login on console*
> > or to *disallow root login for ssh*?
> > 
> > For the first, PAM is the right tool. The second should be default on
> > most modern Linux distros (yell at them if it ain't ;-) and is governed
> > by the sshd configuration, typically in /etc/ssh/sshd_config and
> > documented in sshd_config(5).
> > 
> > Cheers
> >   - t
> > 
> 
> Sorry, I will not have been clear enough, or did not understand your answer
> clearly, ssh and pam are both new to me, and I also never configured sudo
> myself.
> As my root account is disabled, I do all administration as the "normal" user
> with the help of sudo for running administrative commands. The user "root"
> shall not login nowhere, not at the physical console and not by ssh, never.
> Only the "normal" user should be allowed to log in to the system. The
> "normal" user then of course needs to keep the right to use "sudo" if
> working at the physical console (being logged in at a console (CTRL+ALT+F2),
> or logged in via sddm or gdm, or having opened a terminal within the X11 or
> Wayland session, etc.), but for security the access for this "normal" user
> to "sudo" privileges shall not be granted if this user would work at the
> system from remote, for instance logged in via ssh.
> I could imagine that it is possible to kind of generally block all sudo (and
> also su) functionality in the system for everybody as soon as any remote
> (incoming) login to ssh is detected, and automatically allowing sudo
> functionality again if no more incoming ssh to the computer exists:
> if remote (incoming) connection established, then disable sudo and su
> if no remote (incoming) connection established, then switch on sudo and su
> If such security mechanism could be done in a reliable way to only effect
> the incoming connection, while a parallel local (physically sitting at the
> computer) user could continue to work with sudo, then this would be fine,
> but assuming that this might be much more difficult to configure, especially
> if remote login and physical login could be the same user (same user ID), I
> am open to the drastic but simple version as described above.
>

Have you considered to have one account allowed to ssh in and
one account allowed to sudo?

You say you are the only user. That seems like an simple
solution.


-H



-- 
Henning Follmann           | hfollmann@itcfollmann.com
Reply to: