Bonno Bloksma wrote: > Of course root cannot login via ssh and that is no problem. A simple > su - is enough to make myself root after that and perform the > necessary tasks. But... I often see people advise to disable root ssh login access. But I disagree that it is beneficial. In fact it can make some things so difficult that people make other choices that are less secure. I always leave root able to log into a machine with ssh. Just by itself that is not a security vulnerability. I know that others feel comforted by disabling this however and that is fine. Copying files as you see is one such issue. Backup is another. > I sometimes need to copy some files from the server to my machine > and want to use scp but... as my default user I do not have access > to the files that I just have been able to access as root. So I need > to: > > - cp the file to the /home/username directory. > > - make sure the filesystem rights are proper for the user to > access the them > > Then I can scp as the user to the server and get the file. And of > course in reverse order if I want to place a file on the system. > > Is there a better way or is that the way it needs to be done? Can you log in as root from the localhost? That is: user@desktop:~$ ssh other.example.com user@other:~$ ssh root@localhost root@other:~# Surely you wouldn't consider that to be an insecure method of access. No different than using "su" on the local host. Right? All good. If you can do that then you could simply hop through from one to the next. Use the other machine as a landing pad. (Sometimes called a lily pad.) And then hop through to root. $ ssh -o ProxyCommand="ssh -W 127.0.0.1:%p %h" root@other.example.com id Enter passphrase for key '/home/rwp/.ssh/id_rsa': Enter passphrase for key '/home/rwp/.ssh/id_rsa': uid=0(root) gid=0(root) groups=0(root) It will ask you for a password or passphrase as is normal for ssh. I intentionally showed that here for the illustration but normally I use an ssh agent running on my desktop and so these would not be listed inline. I recommend using an ssh agent. The above without is just for clarity of illustration. In my example above it first logged into the other host as the normal non-root user and then started a second ssh which logged into the tunnel that was created on the fly and logged into the localhost as root. The scp command is "okay" but not a great command. It uses the old interface and some things are not so nice. Much more featureful is the rsync command. I highly recommend using rsync for copies across the network. It has many advantages over scp. This can also be used for rsync passed in through the rsync -e option. It is a little bit long that way. rsync -av -e 'ssh -o ProxyCommand="ssh -W 127.0.0.1:%p %h"' root@other.example.com:/some/file ./ These options can be configured in your ~/.ssh/config file so that you don't need to type the options on the command line each and every time you invoke the command. But the trick is to pass the options into the first ssh but not the second. Which takes a separate name. Host tunnel.other.example.com ProxyCommand ssh -W 127.0.0.1:%p other.example.com HostKeyAlias other.example.com Then you can call it like this: rsync -av root@tunnel.other.example.com:/some/file ./ And don't forget that bash has TAB completion on these names. Making the long names not much trouble to enter. Bob
Attachment:
signature.asc
Description: Digital signature