[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: make bash use authentication type?
|
From: |
Paul Jarc |
|
Subject: |
Re: make bash use authentication type? |
|
Date: |
Thu, 07 Sep 2006 11:58:21 -0400 |
|
User-agent: |
Gnus/5.110003 (No Gnus v0.3) Emacs/21.4 (gnu/linux) |
Jaqui Greenlees <jaqui_greenlees@yahoo.ca> wrote:
> In a recet discussion about ssh, the ida was put forth
> to get opnssh to export a variable that defines the
> authentication method used. The idea being to limit
> access to su use to only those authenticating through
> a public / privat key pairing.
>
> is there any way currently to configure bash to use
> this and limit access to su if the authentication is
> not through th ky pair, without hurting the
> transparency of normal ssh access?
The shell isn't the right place to enforce access control. The user
could simply run su via a different shell, or the env command, etc.
Access control for su should be implemendted in su itself.
Also, it's easy to circumvent this access control if it's in an
environment variable; users can change the environment of their own
processes.
You could have sshd run the user's session with an extra supplementary
group ID, depending on the authentication method. Then you could make
su executable by only that group. You wouldn't have to make any
coding changes outside of sshd.
paul