Re: [OT] sudo: restrict to physical console only?

[Marco Möller <talby@debianlists.mobilxpress.net>]

On 04.08.20 15:50, Henning Follmann wrote:
> On Tue, Aug 04, 2020 at 11:44:04AM +0200, Marco Möller wrote:
> > On 04.08.20 10:59, tomas@tuxteam.de wrote:
> > > On Tue, Aug 04, 2020 at 09:47:24AM +0200, Marco Möller wrote:
> > > > Is it possible (how?) to restrict a user to only be allowed to make
> > > > use of its sudo usage permission if working at the physical console,
> > >
> > > See pam_securetty(8) for that. Sorry I can't give you some step-by-step
> > > account.
> > >
> > > > not granting to this user sudo permission when i.e. logged in via
> > > > ssh?
> > >
> > > Now you have to decide: You want to *only allow root login on console*
> > > or to *disallow root login for ssh*?
> > >
> > > For the first, PAM is the right tool. The second should be default on
> > > most modern Linux distros (yell at them if it ain't ;-) and is governed
> > > by the sshd configuration, typically in /etc/ssh/sshd_config and
> > > documented in sshd_config(5).
> > >
> > > Cheers
> > >    - t
> >
> > Sorry, I will not have been clear enough, or did not understand your answer
> > clearly, ssh and pam are both new to me, and I also never configured sudo
> > myself.
> > As my root account is disabled, I do all administration as the "normal" user
> > with the help of sudo for running administrative commands. The user "root"
> > shall not login nowhere, not at the physical console and not by ssh, never.
> > Only the "normal" user should be allowed to log in to the system. The
> > "normal" user then of course needs to keep the right to use "sudo" if
> > working at the physical console (being logged in at a console (CTRL+ALT+F2),
> > or logged in via sddm or gdm, or having opened a terminal within the X11 or
> > Wayland session, etc.), but for security the access for this "normal" user
> > to "sudo" privileges shall not be granted if this user would work at the
> > system from remote, for instance logged in via ssh.
> > I could imagine that it is possible to kind of generally block all sudo (and
> > also su) functionality in the system for everybody as soon as any remote
> > (incoming) login to ssh is detected, and automatically allowing sudo
> > functionality again if no more incoming ssh to the computer exists:
> > if remote (incoming) connection established, then disable sudo and su
> > if no remote (incoming) connection established, then switch on sudo and su
> > If such security mechanism could be done in a reliable way to only effect
> > the incoming connection, while a parallel local (physically sitting at the
> > computer) user could continue to work with sudo, then this would be fine,
> > but assuming that this might be much more difficult to configure, especially
> > if remote login and physical login could be the same user (same user ID), I
> > am open to the drastic but simple version as described above.
>
> Have you considered to have one account allowed to ssh in and
> one account allowed to sudo?
>
> You say you are the only user. That seems like an simple
> solution.
>
>
> -H


Yes, I understand that this could ease configuration, but my thoughts 
are going towards a setup in which I access my computer from remote in 
order to enjoy the Graphical Desktop System and all software being 
nicely configured already, the home directory has my data available for 
me, etc. To this end I thought to maybe tunnel X11 through ssh, or using 
X2Go, or something alike. I am not sure about all this by now, I am 
still collecting information about the security part of all this.
The idea of Tomas to look in /etc/sudoers.conf for something like 
'requiretty' sounds promising. I will need a couple of days to read and 
learn about this and then testing it.
Marco