Disable remote logon but still allow su to same user

server 14.04

No, disabling SSH access in the sshd_config file will not affect the ability to login locally or through the use of su command.

Although you can limit the accounts allowed to connect with SSH as described in the referenced answer (i.e. by setting either DenyUsers specadmin or AllowUsers mary in the /etc/ssh/sshd_config file), it would still be less secure than what is considered a common practice for SSH.

You should not go that way and instead switch to the key-based authentication.

If you are configuring it for the first time, it might seem cumbersome, but as you use cloud services, you can easily add a new server and perform test runs (btw, cloud services usually give you a web access to the console if you lock yourself out).

First you should set (or ensure the following options is set in the sshd_config):

PubkeyAuthentication yes

Then you should generate a key-pair on your client machine (ssh-keygen command on Linux machines) and add the public key to the following file (for mary):

/home/mary/.ssh/authorized_keys

either by copying manually (a key is a string of characters) or using ssh-copy-id mary@<destination_server> command which will upload the key automatically.

You should be able to connect to the server using ssh mary@<destination_server> using the key. If you set the passphrase during ssh-keygen, which you should, you will need to enter it, but it will not be transferred between the client and the server. To be really sure you are doing things correctly set a passphrase to the key file different from the password on the destination server.

If you can successfully login using the key authentication (and passphrase), you can proceed to disabling password based one by adding/ensuring the following settings in sshd_config:

PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
IgnoreRhosts yes
IgnoreUserKnownHosts yes
HostbasedAuthentication no

After the changes to the sshd_config you should of course restart the SSH daemon (sudo service ssh restart) on the server.

For peace of mind you might also want to disallow access via SSH for the root account in the sshd_config (although if you perform the above, root won't be able to login by default):

PermitRootLogin no

It's the exact use case for the DenyUsers and AllowUsers lines in the file /etc/ssh/sshd_config. You can log in as an allowed user, and su to the privileged user when required.

Also, if you want to beef up your security measures, you should look into using passphrase protected certificate-based authentication to log in as your regular users (such as Mary). It's quite simple to set up, and adds an extra layer of security to your system.

Related

How to change the DNS name server? [duplicate]
apt-get aborts after I type Y to continue [closed]
Qt4 interface not working for VLC
Hidden files won't stay hidden in Ubuntu 14.04 LTS
Clarifications about Gstreamer
Chrome - Disable cache for localhost only?
When using asyncio, how do you allow all running tasks to finish before shutting down the event loop
Re-throwing exception in NodeJS and not losing stack trace
How much null checking is enough?
How to get camera result as a uri in data folder?
Instagram: Share photo from webpage
What is `git checkout --orphan` used for?