su: blacklist users
Matthew Carpenter
matt
Wed May 31 23:50:13 PDT 2006
On Thursday 25 May 2006 17:37, David Bandel wrote:
> On 5/25/06, A. Khattri <ajai at bway.net> wrote:
> > On Thu, 25 May 2006, Man-wai CHANG wrote:
> > > Is there a way to deny specified users from calling su?
> >
> > Yeah, dont ever give out su to anyone - tell them to use sudo.
>
> Too bad that's not always practical. I don't have any clients that
> prohibit ssh as root, but I have heard of many that do. In that case,
> a remote administrator has no choice.
I'd rather a sudo config which allows complete root access. This at least
gives logging of sorts. If a user chooses to sudo su or sudo bash, they
simply take responsibility for everything that goes wrong on that box during
their session.
> Better, as in my case, I give my clients my public key and I explain
> to them how to install it. I then ssh in as root without needing to
> ever know the password. That could also work on a local box. Those
> worried about the ssh exploits (mostly dictionary attacks) can use
> iptables to restrict the IP from whence these folks can connect, so
> the attacks coming from Italy and Rumania would just hit a brick wall.
> But good passwords work just as well.
good point.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.linux-sxs.org/pipermail/linux-users/attachments/20060531/27b87e93/attachment.pgp
More information about the Linux-users
mailing list