Authenticate `su -` through PAM and SSH Agent

Gordon Messmer yinyang at eburg.com
Tue Feb 27 01:47:07 UTC 2007 

jlist at jdjlab.com wrote:
> I don't want to allow root logins at all over ssh (is localhost treated 
> specially then?). Security and all. I know I can't do it with the 
> default PAM plugins available, but if anybody has a link to where a 
> plugin would give that functionality that'd be great. If nobody knows of 
> one, I'd really appreciate links to a good tutorial on how PAM plugins 
> work and a tutorial/documentation of the ssh-agent workings/protocol. I 
> may find time to write one myself this coming summer.

Before you start work on the project, you should work out the logic of 
how this is supposed to work.

If google is any indication, ideas like this one float around from time 
to time, but the existing pam_ssh module doesn't do quite what you're 
describing.

So, how would you support what you want to do, logically?  First of all, 
you want to be able to log in to a user account via ssh using keys, 
right?  So, if "user1" is your account, you'd have to install the public 
key in that user's home directory on the host to which you want to log 
in.  That's easy enough, and supported by the software that already 
exists.  Now, once there, you want to be able to "su" to root using ssh 
keys.  How's the system going to handle that?  Private keys can only be 
authenticated against the public key, so where's the public key that the 
system is going to use?  If it's in your own home directory, then any 
user can add a key and "su" to root.  If it's in the root user's home 
directory, then what you want is not really functionally different from 
using "ssh root at localhost".

The only real gain that you get is disallowing remote root logins.  If 
you're concerned about brute-force attacks, you're better off allowing 
remote root logins, but not allowing password logins.  Turn off password 
logins, and allow only key based authentication.  You could improve 
security further by configuring your firewall so that only connections 
from specific IP addresses are allowed.

More information about the fedora-list mailing list