Jaqui Greenlees <[EMAIL PROTECTED]> wrote: > In a recet discussion about ssh, the ida was put forth > to get opnssh to export a variable that defines the > authentication method used. The idea being to limit > access to su use to only those authenticating through > a public / privat key pairing. > > is there any way currently to configure bash to use > this and limit access to su if the authentication is > not through th ky pair, without hurting the > transparency of normal ssh access?
The shell isn't the right place to enforce access control. The user could simply run su via a different shell, or the env command, etc. Access control for su should be implemendted in su itself. Also, it's easy to circumvent this access control if it's in an environment variable; users can change the environment of their own processes. You could have sshd run the user's session with an extra supplementary group ID, depending on the authentication method. Then you could make su executable by only that group. You wouldn't have to make any coding changes outside of sshd. paul _______________________________________________ Bug-bash mailing list Bug-bash@gnu.org http://lists.gnu.org/mailman/listinfo/bug-bash
