0

I have a small web-facing server on my home network. It is headless, and the only way to log in is to ssh with pubkey authentication from within the local network.

I wanted to turn on a 2FA authentication PAM module for anybody attempting to log in as root. I have disabled root login via ssh, and sudo is not installed, so the only way to perform root actions is to log in as root. My question is, is it sufficient to only enable the 2FA module in /etc/pam.d/su? Could an unprivileged user trigger a root login over ssh without using su?

user3734989
  • 1
  • What exactly is your threat model? Two-Factor Authentication for a server that is in your home seems a bit like overkill to me. –  Jun 27 '19 at 11:19
  • Threat model is a remote attacker who managed to get shell access as an http worker via some vulnerability in the publicly facing web app. Root password is intentionally weak so that anyone in the house can remember it and easily perform system maintenance after getting set up for 2FA. – user3734989 Jun 27 '19 at 15:03

0 Answers0