[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: scp non root

Bonno Bloksma wrote:
> Of course root cannot login via ssh and that is no problem. A simple
> su - is enough to make myself root after that and perform the
> necessary tasks. But...

I often see people advise to disable root ssh login access.  But I
disagree that it is beneficial.  In fact it can make some things so
difficult that people make other choices that are less secure.  I
always leave root able to log into a machine with ssh.  Just by itself
that is not a security vulnerability.  I know that others feel
comforted by disabling this however and that is fine.

Copying files as you see is one such issue.  Backup is another.

> I sometimes need to copy some files from the server to my machine
> and want to use scp but... as my default user I do not have access
> to the files that I just have been able to access as root. So I need
> to:
> -       cp the file to the /home/username directory.
> -       make sure the filesystem rights are proper for the user to
>         access the them
> Then I can scp as the user to the server and get the file. And of
> course in reverse order if I want to place a file on the system.
> Is there a better way or is that the way it needs to be done?

Can you log in as root from the localhost?  That is:

  user@desktop:~$ ssh other.example.com
  user@other:~$ ssh root@localhost

Surely you wouldn't consider that to be an insecure method of access.
No different than using "su" on the local host.  Right?  All good.

If you can do that then you could simply hop through from one to the
next.  Use the other machine as a landing pad.  (Sometimes called a
lily pad.)  And then hop through to root.

  $ ssh -o ProxyCommand="ssh -W %h" root@other.example.com id
  Enter passphrase for key '/home/rwp/.ssh/id_rsa': 
  Enter passphrase for key '/home/rwp/.ssh/id_rsa': 
  uid=0(root) gid=0(root) groups=0(root)

It will ask you for a password or passphrase as is normal for ssh.  I
intentionally showed that here for the illustration but normally I
use an ssh agent running on my desktop and so these would not be
listed inline.  I recommend using an ssh agent.  The above without is
just for clarity of illustration.

In my example above it first logged into the other host as the normal
non-root user and then started a second ssh which logged into the
tunnel that was created on the fly and logged into the localhost as

The scp command is "okay" but not a great command.  It uses the old
interface and some things are not so nice.  Much more featureful is
the rsync command.  I highly recommend using rsync for copies across
the network.  It has many advantages over scp.  This can also be used
for rsync passed in through the rsync -e option.  It is a little bit
long that way.

  rsync -av -e 'ssh -o ProxyCommand="ssh -W %h"' root@other.example.com:/some/file ./

These options can be configured in your ~/.ssh/config file so that you
don't need to type the options on the command line each and every
time you invoke the command.  But the trick is to pass the options
into the first ssh but not the second.  Which takes a separate name.

  Host tunnel.other.example.com
    ProxyCommand ssh -W other.example.com
    HostKeyAlias other.example.com

Then you can call it like this:

  rsync -av root@tunnel.other.example.com:/some/file ./

And don't forget that bash has TAB completion on these names.  Making
the long names not much trouble to enter.


Attachment: signature.asc
Description: Digital signature

Reply to: