How do I prevent all console access except via key-authenticated SSH?

Question

I have a server environment for which the only methods of login would be SSH or local terminal in the datacenter. I have set this up to allow a specific user to login only with a key, not password (explicitly disabled). This user also has no password set.

Because of the things this user needs to do on the server, I have granted password-free sudo access, using (in the sudoers file):

username ALL=(ALL) NOPASSWD: ALL

Obviously, this can be a security issue. I need to ensure that the user cannot login to the server by any means other than SSH, using our closely guarded SSH keys. All SSH logins are extremely well protected, and locked to a specific IP address too, so that coupled with the key-based login, is secure (as it can be). I wish to eliminate the ability to login via our datacenter to ensure that the user cannot login from there, and only SSH.

How do I prevent those unauthorized access attempts?

Answer 1

You could set a password on the user that is 30+ random characters (some almost impossible to type) to prevent non-SSH logins.

Though, this wouldn't stop the user from changing the password via SSH, and then using the datacenter terminal for direct access.

Answer 2

I've always found a better solution is to set the password hash (in /etc/shadow) to an invalid value. I typically use the string %%NP%%. This effectively turns off password authentication for this user, and prohibits any sort of brute force cracking of the password. Given that no input into the password hashing algorithm will ever match the hash in the shadow file, this is extremely secure.

For Linux, you can instead of (or in addition to) the above, set access control parameters in /etc/security/access.conf. There are several examples in that file that should get you what you need. One caveat with this approach is that you can very easily lock root from being able to login from the console, which is a very bad idea in an emergency.