> So ideally, you have another account,
> specifically for ssh, which for one, you can disable when you don't need
> to ssh in, and that will allow you to log session where that user su'd
> to root
Usually I do most things (with the script) as the user and that is
priv'd enough with no su needed. The problem with su when those special
priv'd tasks arise is that it's being done across 122 machines with a
script and a shared rsa key from "my" normal user account. This allows
the script to be run without asking me for 122 passwords. I'm not sure
how you would incorporate the su into the scripted command anyway. the
format I'm using is - ssh user@machine "command" . In my tinkering I've
never been able to get it to run more than one program in the place of
"command". Even if something like this does work, I think I would have
to have a second rsa key between the remote user and the remote root so
again, it would not require me to enter 122 passwords in a row.
> Alternatively, you could enable your ssh user to perform those specific
> tasks, without giving them full root provileges, but that's not ideal
> security practice either.
I've thought about this too. The only plus is that I could make it some
obscure odd username that would be harder to guess than the ever so
normal root. This would make it a little harder to hack (the bad way).
speaking if hacking......does anybody know if they've come up with a
replacement term since this one has been sadly corrupted to mean bad
things?
Mike Branda Jr.
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:02:38 EDT