Re: ssh and root

To: debian-security <debian-security@lists.debian.org>
Subject: Re: ssh and root
From: Vineet Kumar <debian-security@virtual.doorstop.net>
Date: Mon, 10 Dec 2001 16:11:17 -0800
Message-id: <[🔎] 20011211001117.GA22163@doorstop.net>
Mail-followup-to: debian-security <debian-security@lists.debian.org>
In-reply-to: <[🔎] 86k7vyt6iu.fsf@i2d.home>
References: <[🔎] 86k7vyt6iu.fsf@i2d.home>

* Robert Epprecht (epprecht@sunweb.ch) [011208 02:31]:
> I need ssh to access some cvs servers.  As the files are stored locally
> below /usr/local/ and ordinary users have no write access there I called
> ssh-keygen as root.  But now I have my doubts if this was The Right
> Thing to do regarding security.  I *do* trust the cvs servers in
> question and am not paranoid about security, but I do want a reasonable
> security level.  Comments welcome.


I'm not sure I completely understand your situation, but I have a few
more (maybe) helpful hints which I neglected to include in my earlier
reply.

Again, I don't understand exactly what you're trying to do, so forgive
me if some of these clues are irrelevant.

If you're trying to access something for which you need root on the
remote machine, you don't need to be root on the local machine to get to
it. The best way to do it is to use ssh (i.e. rsa or dsa) keys. Let's
say your local user account is 'vineet', the local machine is called
'gobo', and you are performing some task on a remote machine 'wembley'
for which you need root privileges (i.e. a system-wide backup script).
A good way to accomplish this is to create a public/private keypair for
vineet on gobo. Now if you place a copy of the public key in
/root/.ssh/authorized_keys on wembley, you can log in like this:

vineet@gobo $ ssh root@wembley

No problem. Now here's where it gets fun: sshd(8). See specifically the
section about the options you can specify in an authorized_keys file.
With the right combinations of options, you can set it up so that the
root account can only be accessed via bineet@gobo's key, and that he can
only connect from gobo, and that, once connected, he automatically execs
a specified command instead of a root shell. I had set up a system by
which my machines were doing nightly network backups via rsync with this
type of system. Just ask if you need more help setting it up.

good times,
Vineet

-- 
Satan laughs when      #  "I disapprove of what you say, but I will
we kill each other.    #   defend to the death your right to say it."
Peace is the only way. #  --Beatrice Hall, The Friends of Voltaire, 1906

Attachment: pgpBRPhhjPyza.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: ssh and root
  - From: Robert Epprecht <epprecht@sunweb.ch>

References:
- ssh and root
  - From: Robert Epprecht <epprecht@sunweb.ch>

Prev by Date: Deducing key from encrypted & original data
Next by Date: Re: Can a daemon listen only on some interfaces?
Previous by thread: Re: ssh and root
Next by thread: Re: ssh and root
Index(es):
- Date
- Thread