On Thu, 14 Jul 2022 11:54:46 +0200, J. Roeleveld wrote: > For security reasons, I do not want direct login to root under any > circumstances. This is disabled on all systems and will stay this way. > > Currently, to login as root, you need to know: > - admin user account name > - admin user account password > - root user account password > > I do not want to reduce this to a single ssh-key-passphrase.
Is this user only used as a gateway to root access, or can you set up such a user? If so you could use key-based authentication for that user, with a passphrase, and add command="/bin/su --login" to the authorized_keys line. That way you still need three pieces of information, replacing the user's password with the user's key passphrase. -- Neil Bothwick 30 minutes of begging is not considered foreplay.
pgpyJwzayljgd.pgp
Description: OpenPGP digital signature
