ssh and tty and sudoers file.

Knapp magick.crow at gmail.com
Tue Aug 19 05:22:28 UTC 2008 

On Tue, Aug 19, 2008 at 1:28 AM, Brian McKee <brian.mckee at gmail.com> wrote:

> On Mon, Aug 18, 2008 at 5:09 PM, Knapp <magick.crow at gmail.com> wrote:
> > From sudoers man file.
> >
> > "
> >
> > requiretty
> >
> > If set, sudo will only run when the user is logged in to a real tty.
> {snip}
> > Does ssh log into a real tty??
> > If not then all we have to do to limit sudo use to the local keyboarder
> is
> > set this, right?
>
> ssh normally logs into a pty - see?
>
> > 29076 ?        S      0:00 sshd: brian at pts/0
> > 29078 pts/0    Rs     0:00  \_ -bash
> > 29101 pts/0    R+     0:00      \_ ps xfw
> > 29102 pts/0    S+     0:00      \_ less
>
> But, it can be overridden - see man ssh
> >   -t      Force pseudo-tty allocation.  This can be used to execute
> arbitrary screen-based
> >           programs on a remote
> >           machine, which can be very useful, e.g. when implementing menu
> services.
> >           Multiple -t options force tty
> >           allocation, even if ssh has no local tty.
>
> sshd (note the d) has a no-pty option, but I don't know how that works.
>
> I'm not an sudo expert - but it would seem more natural to me to
> restrict sudo by group membership rather than physical location.
> After all, if you trust them with access to sudo then you should trust
> them not to lose their ssh key...  Note also (and you may know this)
> that sudo can be very finely tuned so that it only runs certain
> programs etc etc.
>
> lastly I see from a google search that ssh can deny groups as well as users
> -
>
> http://www.cyberciti.biz/tips/openssh-deny-or-restrict-access-to-users-and-groups.html
> so why not put all the sudo people in a group and then deny that group thru
> ssh?
>
> Obviously, test whatever you set up.
>
> HTH
> Brian
>

The original idea was that if you get hacked somehow (weak keys comes to
mind from that programming error) then the hacker is not allowed to use su
(turned off)or sudo (limited to localhost use only).

You could do what you say but that would make it so that if you needed sudo
you must sign out of your normal account and sign in as a sysop. Sudo was
made to avoid that in the first place.

-- 
Douglas E Knapp

http://sf-journey-creations.wikispot.org/Front_Page
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20080819/c33e8d92/attachment.html>

More information about the ubuntu-users mailing list