ssh and tty and sudoers file.

[Brian McKee]

On Mon, Aug 18, 2008 at 5:09 PM, Knapp <magick.crow at gmail.com> wrote:
> From sudoers man file.
>
> "
>
> requiretty
>
> If set, sudo will only run when the user is logged in to a real tty.
{snip}
> Does ssh log into a real tty??
> If not then all we have to do to limit sudo use to the local keyboarder is
> set this, right?

ssh normally logs into a pty - see?

> 29076 ?        S      0:00 sshd: brian at pts/0
> 29078 pts/0    Rs     0:00  \_ -bash
> 29101 pts/0    R+     0:00      \_ ps xfw
> 29102 pts/0    S+     0:00      \_ less

But, it can be overridden - see man ssh
>   -t      Force pseudo-tty allocation.  This can be used to execute arbitrary screen-based
>           programs on a remote
>           machine, which can be very useful, e.g. when implementing menu services.
>           Multiple -t options force tty
>           allocation, even if ssh has no local tty.

sshd (note the d) has a no-pty option, but I don't know how that works.

I'm not an sudo expert - but it would seem more natural to me to
restrict sudo by group membership rather than physical location.
After all, if you trust them with access to sudo then you should trust
them not to lose their ssh key...  Note also (and you may know this)
that sudo can be very finely tuned so that it only runs certain
programs etc etc.

lastly I see from a google search that ssh can deny groups as well as users -
http://www.cyberciti.biz/tips/openssh-deny-or-restrict-access-to-users-and-groups.html
so why not put all the sudo people in a group and then deny that group thru ssh?

Obviously, test whatever you set up.

HTH
Brian