# Disable sudo over ssh

## Madame_pupu

I'm setting up sshd for remote access, and I've already added "PermitRooLogin no" to my /etc/sshd.config. But I also want to disable sudo for users who login via ssh (I'd rather administer my system locally, but I still want to be able to login remotely). I guess I could use PAM to configure this, but I haven't figured out exactly how. Any ideas?

----------

## Dlareh

Sudo should just be configured on a per-user basis.  There's no reason users who can run sudo locally shouldn't be able to do so from ssh.

----------

## Madame_pupu

 *Dlareh wrote:*   

> Sudo should just be configured on a per-user basis.  There's no reason users who can run sudo locally shouldn't be able to do so from ssh.

 

Ok, let me clarify the reasons I want to do this:

*I need to be able to access my account remotely, and all the information in my home directory

*I don't want anyone who logs in remotely to have root access. Root tasks should be performed locally. The only way they can gain root is by breaking into my house  :Wink: 

*I want to use su/sudo locally, since I don't want to login separately everytime I have to touch config files, restart services, etc.

As you see, there are many reasons for my request. Maybe there is a simpler option, but the only one that comes up to my mind is to create another user outside the wheel group but with the same home directory, and login remotely with that user. I feel that's a bit hackish though, and was wondering if there is a better way.

----------

## Dlareh

 *Madame_pupu wrote:*   

> *I need to be able to access my account remotely, and all the information in my home directory
> 
> *I don't want anyone who logs in remotely to have root access. Root tasks should be performed locally. The only way they can gain root is by breaking into my house 

 

In many ways ssh access is easier to secure than physical access.

Once an unprivileged user is logged in, both ssh AND physical console are considered to be `local' in security parlance, and there is really no meaningful distinction between one type of connection or the other su(do)ing to root.

 *Madame_pupu wrote:*   

> As you see, there are many reasons for my request. Maybe there is a simpler option, but the only one that comes up to my mind is to create another user outside the wheel group but with the same home directory, and login remotely with that user. I feel that's a bit hackish though, and was wondering if there is a better way.

 

That may be a good way to do it, if you insist, though I don't think you're accomplishing anything useful.  You can have two different usernames with the same UID and home directory, no problem.

----------

## Madame_pupu

 *Dlareh wrote:*   

> 
> 
> In many ways ssh access is easier to secure than physical access.
> 
> 

 

As far as I am concerned, it isn't. The only things preventing anyone from login in are my DSA private key (which could be stolen by the administrator of the system I'm login from, for example), and my password (which could be obtained by a keylogger). Since the system I'm logging from is not under my control, those two things could happen (or at least, I have no way to prevent it). So, I want to limit the scope of a possible intrussion to just my user account.

And even then, if someone obtained this information, they would be just a step (cracking the password) away from root. Let's think for a moment su/sudo don't exist: Using "PermitRootLogin no" I'm effectively denying anyone who logs in from outside access to the root account. Then, why is it that if I use such a simple utility (which isn't much more than a shortcut to a regular log-in), I lose this ability? I think it's a shortcoming rather than a feature.

 *Dlareh wrote:*   

> 
> 
> Once an unprivileged user is logged in, both ssh AND physical console are considered to be `local' in security parlance, and there is really no meaningful distinction between one type of connection or the other su(do)ing to root.
> 
> 

 

The similarity is what makes what I'm trying to do difficult (i.e. how the system differentiates between one and another), but they are really two different situations.

----------

## gnuageux

 *Quote:*   

> The similarity is what makes what I'm trying to do difficult (i.e. how the system differentiates between one and another), but they are really two different situations.

 Theyre different to you, sure. I don't know how the host deals with them in this capacity. Maybe you should check into SELinux?

----------

## jamapii

 *Madame_pupu wrote:*   

> Maybe there is a simpler option, but the only one that comes up to my mind is to create another user outside the wheel group but with the same home directory, and login remotely with that user. I feel that's a bit hackish though, and was wondering if there is a better way.

 

I also think this is the only way. A possible modification would be to keep your normal user (the one you do your usual work as) outside the wheel group and allow ssh access to it, and create an additional user for local access to root without ssh access. If these two must share data, add them to a common group and make all the shared files "chmod g+rw ..." and owned by that group.

You can even enable sudo access to selected commands/scripts for the ssh-enabled user(s).

----------

## luisfelipe

Can't you write a wrapper for sudo that tests if your user is logged from a ssh shell, and does nothing 

if that is the case ??? 

There is a very stupid but simple way of doing that, just grepping 'ps aux' and searching if the current 

user is logged through ssh (which doesn't exactly mean that it's the ssh login thats running the sudo 

command).

----------

## Dlareh

But then any user could just bypass the wrapper and get to the real sudo binary...

Using your method, all Madame_pupu would accomplish is going through a lot of trouble just to get a false sense of extra security.

----------

## Taladar

You could modify the sudo source to add this functionality. That way there is no wrapper that can be bypassed.

----------

## milosz

I've just installed sudo, and i've fonud a file /etc/sudoers

I think, that you may find solution for your problem in

man sudoers

Search for Host_List

than use visudo command

I don't know if this is what you want. I've just find this file  :Wink:  and i have no time to study it right now. 

Hope, this will help  :Smile: 

----------

## gnuageux

Just now discovering sudo? You have much to learn young padawan

----------

## Madame_pupu

milosz: No, that doesn't work. If you log in using ssh, the hostname seen by sudo is that of the computer you're logging into. Thanks anyways  :Smile: 

----------

