0

Basically, I'm running a Mac Mini as a server, and I'm trying to close some security holes. My server has 3 users: admin, git, and server. Each user has public key authentication enabled, while only git has password authentication enabled. However, once a user is logged in as any account, they can use su to log in as other users with password authentication.

What I'd like to do is disable the su command for users logged via ssh as git or server, so that a potential black hat cannot access the other users' files by logging in as them with a password. If this cannot be done specifically for ssh connections, disabling the command for those two accounts altogether would be fine. However, I do want to be able to use su as admin, so disabling the command altogether is not an option.

I basically want the ONLY way you could access admin via ssh to be with a valid public key only collected from sysadmins, and disable access for users who have keys for git or server and then the user password for admin.

Is this at all possible? How would I go about doing it?

Next-Door Tech
  • 101
  • 3
  • 1
    Did those users get into the wheel group? Who put them in there? – Michael Hampton Aug 03 '18 at 16:05
  • @MichaelHampton As far as I can tell, using `id` and `groups`, none of my three users are a part of the wheel group. Possibly a quirk of macOS? – Next-Door Tech Aug 03 '18 at 17:10
  • I reread your question. It seems like you aren't trying to prevent `su` to root, but to other user accounts? If that is the case, then change passwords. – Michael Hampton Aug 03 '18 at 17:17
  • @MichaelHampton Yes that's right. I should add that I'm doing this preventatively for a potential incident, not in response to cracked passwords. The root account is disabled on my mac, and I don't intend to enable it unless I need to. I've added another paragraph (3) to my question to be more specific. – Next-Door Tech Aug 03 '18 at 17:31
  • Why do these accounts need passwords at all, then? Make everyone log in exclusively with ssh keys. – Michael Hampton Aug 03 '18 at 19:10
  • @MichaelHampton That's the plan, however; once logged in as any user they could `su` to admin with a password prompt without having the correct private key - it's `su` I want to disable – Next-Door Tech Aug 03 '18 at 22:00
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/81136/discussion-between-cancun101-and-michael-hampton). – Next-Door Tech Aug 03 '18 at 22:05
  • Looks like [this pam answer](https://superuser.com/questions/375737/how-can-i-block-su-access-to-some-users-only-in-linux) will help. [pam_listfile](https://linux.die.net/man/8/pam_listfile) has a `sense=deny` for a blacklist approach too. Recommend using gitolite to offer a git service rather than more access than you trust your users with. – danblack Aug 19 '18 at 03:15

0 Answers0