One way is the wheel group in /etc/group.

Uncomment the following line in /etc/pam.d/su:

auth required /lib/security/$ISA/pam_wheel.so use_uid

Uncommenting this line allows only the users in the wheel group to become root by using the su command and entering the root password. All other users will receive a message stating the password is incorrect.

You will also want to create the wheel group in /etc/group and add users to it if it does not exist (CentOS 4 I know does but some older redhat implementations did not if I recall correctly).

I am unsure of how this interacts with sudo though. If you allow users to use sudo command, make sure they cannot 'sudo su root'.

-Greg

-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of M. Fioretti Sent: Wednesday, June 14, 2006 11:57 AM To: centos@centos.org Subject: [CentOS] How to create a secure user only for ssh login?

Hello,

I've read on several howtos that one way to make ssh more secure, or at least reduce the damage if somebody breaks in, is to NOT allow direct ssh login from root, but allow logins from another user. So you have to know two passwords in order to do any real damage.

Does this make sense? IF yes, what is the right way to create an user only for this purpose, that is one that can only login to give me a local prompt to become root, but has no privilege, no possibility to create files, or do anything at all?

TIA, Marco

-- Marco Fioretti mfioretti, at the server mclink.it Fedora Core 3 for low memory http://www.rule-project.org/

Don't you wish you had more energy... or less ambition? _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos