[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Access Control behaves strange



On Wed, May 16, 2001 at 01:08:00AM +0200, Achim Bohnet wrote:
> On Wednesday 16 May 2001 00:35, Jens Benecke wrote:
> > On Tue, May 15, 2001 at 10:48:11PM +0200, Achim Bohnet wrote:
> > > On Tuesday 15 May 2001 22:16, Burkhard Perkens-Golomb wrote:
> > > > During upgrade a warning appears that X starts now with "-nolisten
> > > > tcp" :-) . See /etc/X11/kdm/Xservers, delete "-nolisten tcp".
> > > No please don't delete it (without a good reason).  The problem can
> > > be solved in two other ways without any security loss.  a) use ssh as
> > There's an even simpler way (tho I wouldn't understand why you don't
> Security: direct root login not permited  (never tried to figure out how

Oh, that's simple. You even have a choice between two methods. :-)

Either: 

	PermitRootLogin without-password

that means you will only be able to login from machines whose public-key
(in /root/.ssh/identity.pub) is in the server's /root/.ssh/authorized_keys.
NO password will be asked but you won't be able to login from other hosts
at all, as root.

That's what I use here, because it makes changing to root so simple while
OTOH denying root access from outside completely.


The other is simply defining categories in the sshd_config. You can define
that from 127.0.0.1 root access is allowed but not from 0.0.0.0 (everwhere
else).

I don't know exactly how this is done however. ;)

> to allow root login only via localhost) Minor: Overhead, response.
> Compare x app via ssh tunneling and direct :0 access.  :0 is much more
> responsive.

I think I can spare the couple CPU cycles. :-)
 
> > ln -fs /home/achim/.Xauthority /root/.Xauthority
> > That way root will always have the "Magic cookie" from X, when achim is
> > logged in via X.
> Because there can't be 3 /home/{achim,harald,joachim}/.Xauthority links,

/usr/local/bin/toroot:
---------------------------------------------------------------------------
#!/bin/bash
su - root -c "ln -fs /home/$USER/.Xauthority ~/.Xauthority; /bin/bash --login"
---------------------------------------------------------------------------

if you still don't want to use ssh. :-)

> sig.  But for the standard 'this is my box' case you are right.  Done on
> my Laptop.  Thanks for the tip.

no problem. ;)

 

-- 
Jens Benecke                            > "Dann nimm lieber gleich Pattex!"
                "Na, ob das was hilft - der Hersteller ist schließlich eine 
             Gesellschaft mit beschränkter Haftung :-)" (-- aus dem Usenet)
http://www.hitchhikers.de/ - Die kostenlose Mitfahrzentrale für ganz Europa

Attachment: pgpiyIsPNGdvM.pgp
Description: PGP signature


Reply to: