On Sun, Jul 13, 2008 at 07:12:36PM -0700, David Fox wrote:
> On Thu, Jul 10, 2008 at 3:11 PM, Alex Samad <alex@samad.com.au> wrote:
> > other have answered was to get around this. How about ssh straight to
> > root@ the box (turn sshd to allow root login by sign only and set a
>
> I don't think this is such a good idea, because direct outside root
> logins should be disabled anyway. Think of it like this - if the user
> knows he can get root without having to know the password of an
> unprivileged user, it's that much easier for him to get in. Rather,
> disallow those logins and make outside users use sudo, and make even
> that practice suspect (of course there are reasons to let outsiders -
> in the sense they don't have physical access to the system in to do
> root things).
I have to agree and disagree. yes it would be best to not give outside
people access to root. But if it is limited to rsa key only login, that
make it nearly impossible (depending on the practicality of the effort).
With normal userids you have all the same problems password etc, the
only benefit is they have to guess the name.
If as I said in my original post you limit the commands that can be done
over ssh to root, this makes it more secure, especially if you are
limiting to a very small set of command and options and specifically to
just to daily/weekly things automated.
For day to day adhoc tasks yes a userid and sudo should be the way to
go.
>
> Of course, passphrases are the thing to setup - especially on direct
> root logins as it makes the chance of J. Random Hacker (think of all
> the script kiddies from overseas banging into your box at night)
> getting through and doing potential harmful things.
yeah I have kept a record on my firewall for the last 4-5 years, it
accepts ssh, but only rsa keys (in fact only one, add to that some
iptables -m limit rules to slow them down)
The thing you missed thought is the authorized_keys file, one of the
options is
command="command"
Specifies that the command is executed whenever this key is
used for authentication. The command supplied by the user (if
any) is ignored. The command is run on a pty if the client
requests a pty; otherwise it is run without a tty. If an
8-bit clean channel is required, one must not request a pty
or should specify no-pty. A quote may be included in the comâ??
mand by quoting it with a backslash. This option might be
useful to restrict certain public keys to perform just a speâ??
cific operation. An example might be a key that permits
remote backups but nothing else. Note that the client may specâ??
ify TCP and/or X11 forwarding unless they are explicitly
prohibited. The command originally supplied by the client is
available in the SSH_ORIGINAL_COMMAND environment variable.
Note that this option applies to shell, command or subsystem
execution.
you write a script to filter what commands can be run, filtering out \;
\& eval and what ever you want.
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
--
"We're concerned about AIDS inside our White House -- make no mistake about it."
- George W. Bush
02/07/2001
Attachment:
signature.asc
Description: Digital signature