SOLVED! How to brock remote SUDO with SSH

Knapp magick.crow at gmail.com
Mon Aug 18 20:54:32 UTC 2008 

On Mon, Aug 18, 2008 at 5:21 PM, Jonas Norlander <jonorland at gmail.com>wrote:

> 2008/8/18 Knapp <magick.crow at gmail.com>:
> > After seeing lots of good ideas here, I decided that none of them
> > where quite right. IT was just to hard and made no sense to me that no
> > one had thought about this before. So with luck I ran across this
> > page!!!!!!!
> >
> > http://www.go2linux.org/sudoers-how-to
> >
> > To make it short sudo can limit based on person, terminal or command!
> >
> > --
> > Douglas E Knapp
> >
>
> How exactly did you do it? I don't see from that page how you can
> restrict ssh user to use sudo.
>
> / Jonas
>

First, I solved how it CAN be done but not how to do it.

I bet after you read the man page your head exploded! My god, what made them
think that was a good intro? I read it and because of that they are letting
me into Harvard.

The simple answer is that it lets you restrict what terminal they work from
or in other words you can limit it by IP. Thus I think, but have not proven
to myself, that you can set it to limit the use of the SUDO command to
localhost. Is there a master out there that can give the exact line??
My guess. (my guess sucks.)

ALL localhost(any) ALL # this meaning that anyone on local host singed in as
anyone can use all commands.


While looking for the right answer I found this. sudo can be set to insult
you. LOL. This is not a joke!
*badpass_message*

Message that is displayed if a user enters an incorrect password. The
default is Sorry, try again. unless insults are enabled.
*insults*

If set, *sudo* will insult users when they enter an incorrect password. This
flag is *off* by default.

AND IT CAN LECTURE YOUR USERS TOO!! GOOD FOR THE KIDS.

*lecture*

This option controls when a short lecture will be printed along with the
password prompt. It has the following possible values:
*always*

Always lecture the user.
*never*

Never lecture the user.
*once*

Only lecture the user the first time they run *sudo*.

If no value is specified, a value of *once* is implied. Negating the option
results in a value of *never* being used. The default value is *on*.
*lecture_file*

Path to a file containing an alternate *sudo* lecture that will be used in
place of the standard lecture if the named file exists. By default,
*sudo*uses a built-in lecture.


PERHAPS THESE WILL HELP?
FILES */etc/sudoers List of who can run what* */etc/group Local groups file*
*/etc/netgroup List of network groups*

AND THIS IS IMPORTANT!
CAVEATS

The *sudoers* file should *always* be edited by the *visudo* command which
locks the file and does grammatical checking. It is imperative that *sudoers
* be free of syntax errors since *sudo* will not run with a syntactically
incorrect *sudoers* file.

When using netgroups of machines (as opposed to users), if you store fully
qualified hostnames in the netgroup (as is usually the case), you either
need to have the machine's hostname be fully qualified as returned by the
hostname command or use the *fqdn* option in *sudoers*.
BTW fqdn means *fully qualified domain name. (had to look that one up, great
man page.)*


My file with insults and lectures turned on but nothing useful yet. The
insults are not to good. Also to edit this file you MUST use "sudo sudovi
/etc/sudoers". It stops you from being stupid and locking up sudo. Come to
think about it that could be really BAD!! maybe I should stop playing with
this!

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
# Defaults

Defaults        lecture,tty_tickets,!fqdn,insults # note that ! turns things
off.

# Uncomment to allow members of group sudo to not need a password
# %sudo ALL=NOPASSWD: ALL

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

If anyone out there really knows what they are doing please let me know the
totally correct answer.
Maybe I was to swift in calling this solved.

-- 
Douglas E Knapp

http://sf-journey-creations.wikispot.org/Front_Page
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kubuntu-users/attachments/20080818/c39d0d0a/attachment.html>

More information about the kubuntu-users mailing list