I need to configure my /etc/sudoers file to ask for a password when running anything except /etc/init.d/ssh.

At the moment I have:

Defaults env_reset, env_keep = DISPLAY

Cmnd_Alias SSH = /etc/init.d/ssh

root ALL = (ALL) ALL

james ALL = NOPASSWD: SSH

How would I configure to allow everything else to require a password?

Thanks.

james ALL = (ALL) ALL

That still asks for a password on /etc/init.d/ssh.

EDIT:
Actually, I can't prove that yet. It still remembers my password and I need it to timeout. I think that's what i had before and it always required a password, although the command alias for SSH wasn't at the top before. I'll see.

You added it as a separate line? What's sudo -l say?

[append]
sudo -k clears the timeout.

Why do you need to be root to run ssh and why is your ssh in /etc/init.d?

I replaced the line I already had with yours. Is that right?

sudo -l said:

User james may run the following commands on this host:
(ALL) ALL

You need to be root to start the SSH server. The startup script for the SSH server is in /etc/init.d because that is where it goes. To be honest, I don't entirely know why. I think it is so that init knows to run it.

EDIT:

sudo -V said:

Sudo version 1.6.8p12

Can't you just tell it to startup via init instead? As all daemons should be?

It does start via init. I guess I should have explained:

Occasionally I need to SSH to my computer. Also, I like to turn off the server after I have used it. But if I do that through SSH I can't get back in, so I have set up a filter in KMail. Whenever I receive an email with some special information in it, it runs sudo /etc/init.d/ssh start, then I can ssh in. Once I'm done, I send myself another email with some different data in it and it stops the server.

Ah! It's called sshd on my system.
Anyway, I'm not sure allowing normal users to start or stop sshd like that is a good idea, security-wise. I understand what you're trying to do, but can't you send an e-mail to the root user instead? Even then, I'm not sure it's such a good idea.

Root is never logged on, so would not receive the message.

Why is it not a good idea? I am the only person who uses the computer. If I find that it won't connect, I can start it, if I find it has been started by somebody then it is no different to leaving it on all the time.

EDIT:
Yeah, the executable is called sshd on mine too. I just prefer to use /etc/init.d/ssh to start and stop it (I don't know why).

Because it's the init script, and it won't be shut down properly (automatically) if you don't.

Convention; sshd can be run without using that script, but you can't have it start automatically without it.

I hope you know you don't actually gain any security from this. Think about it logically: if someone wanted to hack into your machine, they would no doubt be monitoring your internet traffic. The email with the "special information" is sent in clear, so it can easily be reproduced (unless you are using a 1-time key, which I know you aren't ). Your SSH server itself is more secure than any email; why not just run it? If resources are a problem, run it using inetd.

Anyways, assuming you are doing it just for fun:

No, you need to be able to access all commands, and additionally you need to be able to access ssh without a password. Stated in sudoers-ish:

james ALL = (ALL) ALL
james ALL = NOPASSWD: SSH

So what? The message is still received by the system, you can respond to that (try man procmail, for instance).

Because you're adding a possible vulnerability where there wasn't one before. If a normal user normally shouldn't be able to do something, then you should think twice before changing that.

So why not let sshd run normally?

And if someone shuts it down while you're logged in?

That's what I meant. It's /etc/init.d/sshd on my machine.

Ah! Thank you. That works. I realised I wasn't gaining much security, but it's fun and I could apply to anything else I need to start while I'm not at my computer.

Anyway, thanks.

EDIT:
Evert: OK. Sorry if I offended you.

Where did you get that idea from?

You just seemed angry, that's all.

I've always been bad at judging emotion when the person isn't actually there...

His system isn't running an SMTP server. KMail is receiving it from his POP account.

James: the only vulnerability is that now any person, user or not, can activate your ssh server. Not a serious problem, in this case.

Yeah, that's what I thought.

The only vulnerability might be if somebody knows how to get the SSH server to edit something that allows them to elevate privileges without passwords, but that's unlikely, and they'd probably need access to the computer.

That's a bug in ssh, and there is nothing you can do about it. Take comfort in the fact that hacking basically any other server on the net would be more profitable.

Ha ha! OK. I wasn't going to worry about it. Nobody has ever tried to hack me before, anyway (AFAIK).

How so?
Also, what reason could I possibly have for being angry?

The way you keep questioning everything I say. I don't know what I said that could have made you angry, but you seemed it. End of discussion.

A common mistake many people make when communicating online is incorrectly differentiating between being angry and being critical. Evert was just saying what he had to say without any emotion. Because that didn't agree with what you were saying, you assumed he was angry at you

Arguments don't have to be angry, they can be fun!

Hah!

Wait a minute...
You said it was more profitable to hack nearly any other SSH server. Look what I just found:

Jan 3 16:25:07 derek sshd[20552]: Failed password for invalid user staff from 61.232.12.74 port 47970 ssh2
Jan 3 16:25:12 derek sshd[20554]: Failed password for invalid user sales from 61.232.12.74 port 56057 ssh2
Jan 3 16:25:19 derek sshd[20556]: Failed password for invalid user recruit from 61.232.12.74 port 34721 ssh2
Jan 3 16:25:23 derek sshd[20560]: Failed password for invalid user alias from 61.232.12.74 port 47259 ssh2
Jan 3 16:25:29 derek sshd[20562]: Failed password for invalid user office from 61.232.12.74 port 54685 ssh2
Jan 3 16:25:34 derek sshd[20566]: Failed password for invalid user samba from 61.232.12.74 port 35611 ssh2
Jan 3 16:25:40 derek sshd[20568]: Failed password for invalid user tomcat from 61.232.12.74 port 43391 ssh2
Jan 3 16:25:44 derek sshd[20570]: Failed password for invalid user webadmin from 61.232.12.74 port 54398 ssh2
Jan 3 16:25:50 derek sshd[20574]: Failed password for invalid user spam from 61.232.12.74 port 34716 ssh2
Jan 3 16:25:55 derek sshd[20576]: Failed password for invalid user virus from 61.232.12.74 port 44590 ssh2
Jan 3 16:26:00 derek sshd[20578]: Failed password for invalid user cyrus from 61.232.12.74 port 53034 ssh2
Jan 3 16:26:05 derek sshd[20582]: Failed password for invalid user oracle from 61.232.12.74 port 33049 ssh2
Jan 3 16:26:10 derek sshd[20584]: Failed password for invalid user michael from 61.232.12.74 port 41657 ssh2
Jan 3 16:26:15 derek sshd[20586]: Failed password for invalid user ftp from 61.232.12.74 port 49626 ssh2
Jan 3 16:26:20 derek sshd[20588]: Failed password for invalid user test from 61.232.12.74 port 58287 ssh2
Jan 3 16:26:26 derek sshd[20590]: Failed password for invalid user webmaster from 61.232.12.74 port 38132 ssh2
Jan 3 16:26:31 derek sshd[20592]: Failed password for invalid user postmaster from 61.232.12.74 port 47055 ssh2
Jan 3 16:26:37 derek sshd[20594]: Failed password for invalid user postfix from 61.232.12.74 port 55739 ssh2
Jan 3 16:26:42 derek sshd[20598]: Failed password for invalid user postgres from 61.232.12.74 port 37382 ssh2
Jan 3 16:26:47 derek sshd[20600]: Failed password for invalid user paul from 61.232.12.74 port 45001 ssh2
Jan 3 16:26:51 derek sshd[20604]: Failed password for root from 61.232.12.74 port 53053 ssh2
Jan 3 16:26:57 derek sshd[20608]: Failed password for invalid user guest from 61.232.12.74 port 33028 ssh2
Jan 3 16:27:02 derek sshd[20610]: Failed password for invalid user admin from 61.232.12.74 port 42385 ssh2
Jan 3 16:27:09 derek sshd[20612]: Failed password for invalid user linux from 61.232.12.74 port 51860 ssh2
Jan 3 16:27:14 derek sshd[20614]: Failed password for invalid user user from 61.232.12.74 port 34882 ssh2
Jan 3 16:27:19 derek sshd[20616]: Failed password for invalid user david from 61.232.12.74 port 43296 ssh2
Jan 3 16:27:25 derek sshd[20618]: Failed password for invalid user web from 61.232.12.74 port 52584 ssh2
Jan 3 16:27:30 derek sshd[20622]: Failed password for invalid user apache from 61.232.12.74 port 33583 ssh2
Jan 3 16:27:35 derek sshd[20626]: Failed password for invalid user pgsql from 61.232.12.74 port 42544 ssh2
Jan 3 16:27:42 derek sshd[20628]: Failed password for invalid user mysql from 61.232.12.74 port 52363 ssh2
Jan 3 16:27:47 derek sshd[20632]: Failed password for invalid user info from 61.232.12.74 port 36526 ssh2
Jan 3 16:27:55 derek sshd[20634]: Failed password for invalid user tony from 61.232.12.74 port 45554 ssh2
Jan 3 16:28:02 derek sshd[20638]: Failed password for invalid user core from 61.232.12.74 port 60180 ssh2
Jan 3 16:28:08 derek sshd[20640]: Failed password for invalid user newsletter from 61.232.12.74 port 43810 ssh2
Jan 3 16:28:14 derek sshd[20644]: Failed password for invalid user named from 61.232.12.74 port 53885 ssh2
Jan 3 16:28:19 derek sshd[20646]: Failed password for invalid user visitor from 61.232.12.74 port 34720 ssh2
Jan 3 16:28:28 derek sshd[20650]: Failed password for invalid user ftpuser from 61.232.12.74 port 43796 ssh2
Jan 3 16:28:34 derek sshd[20654]: Failed password for invalid user username from 61.232.12.74 port 58307 ssh2
Jan 3 16:28:39 derek sshd[20658]: Failed password for invalid user administrator from 61.232.12.74 port 40039 ssh2
Jan 3 16:28:45 derek sshd[20662]: Failed password for invalid user library from 61.232.12.74 port 49491 ssh2
Jan 3 16:28:51 derek sshd[20664]: Failed password for invalid user test from 61.232.12.74 port 60543 ssh2
Jan 3 16:28:56 derek sshd[20666]: Failed password for root from 61.232.12.74 port 42015 ssh2
Jan 3 16:29:02 derek sshd[20668]: Failed password for root from 61.232.12.74 port 51793 ssh2
Jan 3 16:29:08 derek sshd[20694]: Failed password for invalid user admin from 61.232.12.74 port 33110 ssh2
Jan 3 16:29:13 derek sshd[20698]: Failed password for invalid user guest from 61.232.12.74 port 43066 ssh2
Jan 3 16:29:22 derek sshd[20702]: Failed password for invalid user master from 61.232.12.74 port 53343 ssh2
Jan 3 16:29:27 derek sshd[20704]: Failed password for root from 61.232.12.74 port 39298 ssh2
Jan 3 16:29:36 derek sshd[20708]: Failed password for root from 61.232.12.74 port 50226 ssh2
Jan 3 16:29:42 derek sshd[20712]: Failed password for root from 61.232.12.74 port 38921 ssh2
Jan 3 16:29:48 derek sshd[20714]: Failed password for root from 61.232.12.74 port 48867 ssh2
Jan 3 16:29:55 derek sshd[20718]: Failed password for root from 61.232.12.74 port 60474 ssh2
Jan 3 16:30:00 derek sshd[20722]: Failed password for invalid user admin from 61.232.12.74 port 43873 ssh2
Jan 3 16:30:10 derek sshd[20726]: Failed password for invalid user admin from 61.232.12.74 port 53147 ssh2
Jan 3 16:30:15 derek sshd[20728]: Failed password for invalid user admin from 61.232.12.74 port 40931 ssh2
Jan 3 16:30:22 derek sshd[20730]: Failed password for invalid user admin from 61.232.12.74 port 50321 ssh2
Jan 3 16:30:28 derek sshd[20732]: Failed password for root from 61.232.12.74 port 60204 ssh2
Jan 3 16:30:33 derek sshd[20734]: Failed password for root from 61.232.12.74 port 42430 ssh2
Jan 3 16:30:40 derek sshd[20736]: Failed password for invalid user test from 61.232.12.74 port 52732 ssh2
Jan 3 16:30:46 derek sshd[20740]: Failed password for invalid user test from 61.232.12.74 port 36377 ssh2
Jan 3 16:30:58 derek sshd[20744]: Failed password for invalid user webmaster from 61.232.12.74 port 45941 ssh2
Jan 3 21:14:33 derek sshd[24073]: Failed password for invalid user staff from 61.142.83.245 port 48583 ssh2
Jan 4 04:51:49 derek sshd[27135]: Failed password for root from 125.248.86.5 port 44088 ssh2
Jan 4 04:51:55 derek sshd[27137]: Failed password for invalid user sifak from 125.248.86.5 port 48097 ssh2
Jan 4 04:52:01 derek sshd[27139]: Failed password for invalid user slasher from 125.248.86.5 port 52529 ssh2
Jan 4 04:52:08 derek sshd[27141]: Failed password for invalid user fluffy from 125.248.86.5 port 57174 ssh2
Jan 4 04:52:14 derek sshd[27143]: Failed password for invalid user admin from 125.248.86.5 port 34434 ssh2
Jan 4 04:52:19 derek sshd[27145]: Failed password for invalid user test from 125.248.86.5 port 38912 ssh2
Jan 4 04:52:24 derek sshd[27147]: Failed password for invalid user guest from 125.248.86.5 port 43622 ssh2
Jan 4 04:52:29 derek sshd[27149]: Failed password for invalid user webmaster from 125.248.86.5 port 47444 ssh2
Jan 4 04:52:37 derek sshd[27151]: Failed password for invalid user mysql from 125.248.86.5 port 51329 ssh2
Jan 4 04:52:42 derek sshd[27153]: Failed password for invalid user oracle from 125.248.86.5 port 56331 ssh2
Jan 4 04:52:47 derek sshd[27155]: Failed password for invalid user library from 125.248.86.5 port 60746 ssh2
Jan 4 04:52:56 derek sshd[27157]: Failed password for invalid user info from 125.248.86.5 port 36366 ssh2
Jan 4 04:53:01 derek sshd[27159]: Failed password for invalid user shell from 125.248.86.5 port 42826 ssh2
Jan 4 04:53:07 derek sshd[27161]: Failed password for invalid user linux from 125.248.86.5 port 46849 ssh2
Jan 4 04:53:14 derek sshd[27163]: Failed password for invalid user unix from 125.248.86.5 port 50759 ssh2
Jan 4 04:53:26 derek sshd[27165]: Failed password for invalid user webadmin from 125.248.86.5 port 54377 ssh2
Jan 5 18:41:07 derek sshd[18880]: Failed password for james from 127.0.0.1 port 40283 ssh2

Thats most likely a bot scanning random computers for SSH and possible holes, to probably then install a backdoor for sending spam

I get those.
Don't worry about it, just be sure you don't pick too obvious passwords (especially the root password), make sure you keep the system up-to-date with security patches and limit what normal users can do (which is default anyway).

I think it would be possible to disable remote root logins if you're worried about that; it's something I've been meaning to look into but haven't got round to yet.

I disabled root logins the second I read my log. I now only allow logins by james. I emailed the ISP of the 61 address and hopefully they'll stop his connection. I couldn't get in touch with the other.

If you want to disable root logins it is 'PermitRootLogin no'

There is also,

AllowUsers user1 user2 etc
AllowGroups group1 group2 etc
DenyUsers user1 user2 etc
DenyGroups group1 group2 etc

EDIT:

I should have removed that one before posting...

I was testing the email activation thing and I typed my password wrong

Unforunately, it's quite possible that's just a proxy server address.

Oh yeah... I hadn't thought of that.

I personally think you're being paranoid, but disallowing remote root logins is usually a good idea regardless.

I guess I'm lucky that many ofthe "obvious" user names don't exist on my system.

It's quite possible that it traces back to a hijacked computer as well, in which case you have the wrong guy.

I know; I want to disable su and sudo except from users (well, me) that are logged in locally (ie, not remotely).

I used to get this once or twice per day a while back; at first I found it disturbing and unnerving (and it is annoying), but if you keep your system reasonably up to date and don't have any dodgy security holes (like activating the sshd daemon through e-mail ) you shouldn't have anything to worry about.

It can also help to have your firewall set to drop certian types of connections, like just the "ACK" part.. Well I mean, many scanners only ask to see if a port is open, and don't actually try and open it, its this type of check you can block to make it look like open ports really aren't open.

The only scans I see these days are lame NSBIOS/SMB crap.