Re: authentication method shell variable?
--- Benjamin Donnachie [EMAIL PROTECTED] wrote: Jaqui Greenlees wrote: In a recent discussion about secure ssh use the idea of having ssh export the authentication method as a shll variable. The idea being to limit su access to only those who have used a public / private key pair for authentication. Easy... Compile sshd with the match keyword patch (http://bugzilla.mindrot.org/show_bug.cgi?id=1180), and use it to ensure that members of the admin group can only log in using public/private key authentication. Also make these users a member of the wheel group, and ensure that only they can su - check out /etc/pam.d/su. For example, in /etc/ssh/sshd_config add: Match Group admins PubkeyAuthentication yes PasswordAuthentication no ChallengeResponseAuthentication no In /etc/pam.d/su ensure the following is uncommented: # Uncomment the following line to require a user to be in the wheel group. auth required /lib/security/$ISA/pam_wheel.so use_uid I use this method to ensure that admins can only log in using public/private keys and have access to perform admin functions while (hopefully) ensuring that normal users cannot mess about. This also has the advantage that if any user uploads their own keys to ~/.ssh that they will not be able to gain admin rights!!! Ben Thanks Ben, that is exactly what I was looking for. Jaqui __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: authentication method shell variable?
--- Greg Wooledge [EMAIL PROTECTED] wrote: On Sun, Aug 27, 2006 at 07:28:06AM -0400, Jaqui Greenlees wrote: In a recent discussion about secure ssh use the idea of having ssh export the authentication method as a shll variable. The idea being to limit su access to only those who have used a public / private key pair for authentication. What prevents the black-hat cracker from simply setting that environment variable after getting in using a password? The fact that access to su is granted by authentication to start the bash session, not when su is invoked. the shell variable is only invoked by the shell during the session start process to limit or allow the access. Although it would be more work, you might consider developing a system that grants group membership (e.g. in the wheel group) after appropriate authentication. Then restrict su to those who are in that group. In effect, I'm wanting to do exactly this, by using the authentication method for the ssh tunnel to determine the group membership. only thos using the ky pair gt the access to admin tools. This limits remote admin to those you have set up the key pair access for on the system, yt doesn't stop use of the other authentication methods for remote access, only limits their access to the system admin tools. This type of functionality would bnefit large networks or web hosting companies that do allow ssh access to account holders, yet not interfere with the remote access for administration staff tasks. A trusted and non trusted account holder status. ( trusted are the staff, non trusted ar the clients ) __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
authentication method shell variable?
In a recent discussion about secure ssh use the idea of having ssh export the authentication method as a shll variable. The idea being to limit su access to only those who have used a public / private key pair for authentication. I haven't seen in the documentation if this is possible, spcially without harming the normal transparecy for a tunnel. I am chcking with the bash developrs / heelp to see if bash can be set to use such a variable. if the functionality doesn't exist I guess I'll have to try adding it and testing until it does work without killing normal tunnl transparency. Jaqui __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com