On Sun, Aug 27, 2006 at 07:28:06AM -0400, Jaqui Greenlees wrote: > In a recent discussion about secure ssh use the idea > of having ssh export the authentication method as a > shll variable. The idea being to limit su access to > only those who have used a public / private key pair > for authentication.
What prevents the black-hat cracker from simply setting that environment variable after getting in using a password? Although it would be more work, you might consider developing a system that grants group membership (e.g. in the "wheel" group) after appropriate authentication. Then restrict "su" to those who are in that group.