On 04.08.20 10:59, to...@tuxteam.de wrote:
On Tue, Aug 04, 2020 at 09:47:24AM +0200, Marco Möller wrote:
Is it possible (how?) to restrict a user to only be allowed to make
use of its sudo usage permission if working at the physical console,
See pam_securetty(8) for that. Sorry I can't give you some step-by-step
account.
not granting to this user sudo permission when i.e. logged in via
ssh?
Now you have to decide: You want to *only allow root login on console*
or to *disallow root login for ssh*?
For the first, PAM is the right tool. The second should be default on
most modern Linux distros (yell at them if it ain't ;-) and is governed
by the sshd configuration, typically in /etc/ssh/sshd_config and
documented in sshd_config(5).
Cheers
- t
Sorry, I will not have been clear enough, or did not understand your
answer clearly, ssh and pam are both new to me, and I also never
configured sudo myself.
As my root account is disabled, I do all administration as the "normal"
user with the help of sudo for running administrative commands. The user
"root" shall not login nowhere, not at the physical console and not by
ssh, never. Only the "normal" user should be allowed to log in to the
system. The "normal" user then of course needs to keep the right to use
"sudo" if working at the physical console (being logged in at a console
(CTRL+ALT+F2), or logged in via sddm or gdm, or having opened a terminal
within the X11 or Wayland session, etc.), but for security the access
for this "normal" user to "sudo" privileges shall not be granted if this
user would work at the system from remote, for instance logged in via ssh.
I could imagine that it is possible to kind of generally block all sudo
(and also su) functionality in the system for everybody as soon as any
remote (incoming) login to ssh is detected, and automatically allowing
sudo functionality again if no more incoming ssh to the computer exists:
if remote (incoming) connection established, then disable sudo and su
if no remote (incoming) connection established, then switch on sudo and su
If such security mechanism could be done in a reliable way to only
effect the incoming connection, while a parallel local (physically
sitting at the computer) user could continue to work with sudo, then
this would be fine, but assuming that this might be much more difficult
to configure, especially if remote login and physical login could be the
same user (same user ID), I am open to the drastic but simple version as
described above.
