On Wed, May 11, 2022 at 11:07:09AM -0500, David Wright wrote: [...] > But after two posts about background information on setuid shell > scripts, you now write "the worst antipattern is to misuse tech > to force people to follow some nonsensical rituals". Strong words. Sorry if I was unclear. The point I was trying to make is that OpenSSH allows you to change the behaviour we are discussing if you wish so. So it /doesn't/ follow that antipattern. As to the other points? Well: 0. if you want to be able to login directly as root, /and/ with a password, change the server's /etc/sshd_config 1. if you can be bothered to set up a key for root, use that (generally preferrable to 0.) 1a. you can even limit what a private key owner is able to do: e.g. "only backup". So even if someone manages to steal your remote backup's private key, (s)he'll only able to trigger a backup 2. if you don't like 0..1a, there's still sudo. You can fine-tune what commands (and what parameters go with those) each (local or remote) user is allowed to invoke, and even whether they're supposed to issue a password for that or they get it "password-less". What's not to like? What's missing? Cheers -- t
Attachment:
signature.asc
Description: PGP signature