[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Unlocking (remote/local), was Re: Help with suid (bash)

On Tue 10 May 2022 at 17:12:25 (-0600), Charles Curley wrote:
> On Tue, 10 May 2022 11:08:23 -0500
> David Wright <deblis@lionunicorn.co.uk> wrote:
> 
> > That complicates unlocking partitions remotely because, even if you
> > can log in as root, you normally can't log in remotely as root.
> 
> ??? I log in as root over SSH all the time.

This sequence will be familiar to a lot of people:

$ ssh acer -l root                                               ➀
root@acer's password: 
Permission denied, please try again.
root@acer's password:                                           ^C

130 $  /bin/su -                                                 ➁
Password: 
bullseye on /dev/sda5 toto05
# ssh acer
Linux acer 5. … …                                                ➂
 …  …
Last login: Tue May 10 …
acer # mv -i .ssh/authorized_keys .ssh/hide-authorized_keys      ➃
acer # 
logout
Connection to acer closed.
# ssh acer                                                       ➄
root@acer's password: 
Permission denied, please try again.
root@acer's password:                                           ^C

130 # 

IOW, though logging in to root by password is ok at the console,
it's not ok when remote. ➀

However, when I'm already root ➁, logging in by key is ok because acer's
root has my public key and I can prove I have the private key. ➂

If acer's root doesn't have my public key ➃, then I still can't login
to acer with ssh because password is all that's left. ➄

I don't give root's public key to other users, where "other" includes me.

I presume that in some respect, your systems differ.

> > I use a special user called unlock, whose home directory is on
> > /var/local/, to unlock my /home partitions:
> 
> Unlock? What does "unlock" mean in this context? It looks like a
> synonym for "mount". If so, it's an unnecessary opportunity for
> confusion. And it sounds like it's more complicated than it need be.

/etc/fstab could mount /home, except for the context:

> > > On Tue 10 May 2022 at 07:50:18 (-0400), rhkramer@gmail.com wrote:

> > > > Background: 8 years ago I wrote a set of scripts to help me mount and unmount 
> > > > LUKS encrypted partitions as needed and as myself (<myuserid>) rather than as 
> > > > root. 

So any complexity, outside the script itself, arises from:

unlock has a home directory that's not on /home (which is still locked),
unlock can run just one program, and with strictly limited arguments,
unlock doesn't have to authenticate to use that sudo command,
I'm lazy and would rather type unlo<TAB>ac<TAB> than ssh acer -l unlock,
and I'm lazy and would rather type wake-ac<TAB> than walk 30 yards
and a flight of stairs, plus return, just to press a button.

Cheers,
David.
Reply to: