Re: [OT] sudo: restrict to physical console only?

[Reco <recoverym4n@enotuniq.net>]

	Hi.

On Tue, Aug 04, 2020 at 09:47:24AM +0200, Marco Möller wrote:
> Is it possible (how?) to restrict a user to only be allowed to make use of its sudo usage permission if working at the physical console, not granting to this
> user sudo permission when i.e. logged in via ssh? To keep it simple, I could imagine to even have all sudo for all users deactivated automatically as soon as
> a remote connection by ANY user is detected.

Yes. It's an unusual (some may say - dangerous) thing that you're
asking, so prepare to the unusual side effects.

--- a/etc/pam.d/sudo   2020-08-04 18:40:26.528699633 +0000
+++ b/etc/pam.d/sudo   2020-08-04 18:40:26.296579395 +0000
@@ -1,5 +1,6 @@
 #%PAM-1.0

 @include common-auth
+auth required pam_succeed_if.so tty =~ /dev/tty*
 @include common-account
 @include common-session-noninteractive


I'm assuming that by "physical console" you mean that lovely
conventional virtual terminal kernel facility (i.e. that funny letters
that appear on your screen then you press Ctrl+Alt+F2). Be warned that
in the current form it *will* break sudo for anyone, root included, for
any process which "tty" attribute does not match /dev/tty*, be it ssh,
screen, tmux, and (possibly) X/Wayland sessions.
Worked for me in the case of real servers, just in case.

Reco