On Fri, Oct 22, 2010 at 10:52 PM, Jay K <jay.kr...@cornell.edu> wrote: > Tomas, I don't understand. > If I chroot then I can't do much at all right? > B Unless I replicate/link like the entire system, minus login.
You sai'd that you want to limit them, not I. > > su/wheel group/sudo doesn't prevent simple running of login and typing the > root password, right? just test it. If your user is not in wheel then he can use login and enter root password, but even when he knows that password login will not enter root shell as you are not in wheel, but if you know root password then you don't need to play those games and you can destroy something directly ;-) > > Am I missing something? > Maybe that ssh-only access to myself is good enough? > B Once I am me on the machine, there's no need for an obstacle to be root? > B And then su from there to root? > B I don't need to ssh as root? What do you want with that machine and who will use that? It's your first problem which you must solve. > > But if I allow others to ssh in, and don't limit them with chroot, > then a password is needed. They won't be able to su/sudo, but they can still > login. > Right? So I'm back to the earlier point. > > Thanks, > B - Jay > > ---------------------------------------- >> Date: Fri, 22 Oct 2010 13:11:44 +0300 >> Subject: Re: password-less console-only access and ssh remote access? >> From: tomas.bod...@gmail.com >> To: jay.kr...@cornell.edu >> CC: bret.lamb...@gmail.com; misc@openbsd.org >> >> On Fri, Oct 22, 2010 at 1:01 PM, Jay K wrote: >> >> You can get almost the same thing by setting "PasswordAuthentication" to >> > "no" >> >> in your sshd_config file, and hand out empty or ridiculously simple >> > passwords >> >> for the console (honestly, who would forget "yermomsawhore" as a >> > password?). >> > >> > >> > How do I limit their use to the console? >> > >> > If say I ssh in as non-root and then login root? >> >> You can chroot those logins and why they need root? You don't need to >> allow use of su for them, they don't need to be in wheel group and you >> can set in sudo only 'must need' apps for them. >> >> > >> > ssh surely isn't the sole gatekeeper for login? >> > >> > (Granted, I am NOT running ftpd or telnetd; though >> > >> > at some point I'd like smbd/nfsd, hopefully >> > >> > both secure and convenient, hopefully using ssh somehow...). >> > >> > >> > >> > Thanks, >> > >> > - Jay
