--- Benjamin Donnachie <[EMAIL PROTECTED]> wrote: > Jaqui Greenlees wrote: > > In a recent discussion about secure ssh use the > idea > > of having ssh export the authentication method as > a > > shll variable. The idea being to limit su access > to > > only those who have used a public / private key > pair > > for authentication. > > Easy... Compile sshd with the match keyword patch > (http://bugzilla.mindrot.org/show_bug.cgi?id=1180), > and use it to ensure > that members of the admin group can only log in > using public/private key > authentication. > > Also make these users a member of the wheel group, > and ensure that only > they can su - check out /etc/pam.d/su. > > For example, in /etc/ssh/sshd_config add: > > Match Group admins > PubkeyAuthentication yes > PasswordAuthentication no > ChallengeResponseAuthentication no > > In /etc/pam.d/su ensure the following is > uncommented: > > # Uncomment the following line to require a user to > be in the "wheel" group. > auth required > /lib/security/$ISA/pam_wheel.so use_uid > > I use this method to ensure that admins can only log > in using > public/private keys and have access to perform admin > functions while > (hopefully) ensuring that "normal" users cannot mess > about. > > This also has the advantage that if any user uploads > their own keys to > ~/.ssh that they will not be able to gain admin > rights!!! > > Ben > Thanks Ben,
that is exactly what I was looking for. Jaqui __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
