On Fri, 20 Aug 2004, Mike Branda wrote:
> > So ideally, you have another account,
> > specifically for ssh, which for one, you can disable when you don't need
> > to ssh in, and that will allow you to log session where that user su'd
> > to root
>
> Usually I do most things (with the script) as the user and that is
> priv'd enough with no su needed. The problem with su when those special
> priv'd tasks arise is that it's being done across 122 machines with a
> script and a shared rsa key from "my" normal user account. This allows
> the script to be run without asking me for 122 passwords. I'm not sure
> how you would incorporate the su into the scripted command anyway.
Use sudo, without a password:
command='sudo "/sbin/init 6"'
like that, I think
> the format I'm using is - ssh user@machine "command" .
So you would do
ssh user@machine 'sudo "/sbin/init 0"'
(You can swap ' and " if you want, so variables are interpreted.)
> Even if something like this does work, I think I would have
> to have a second rsa key between the remote user and the remote root so
> again, it would not require me to enter 122 passwords in a row.
Not if sudo is appropriately set up. From /etc/sudoers:
users programs
vvv vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
ALL pc=NOPASSWD: /export/bin/calls, /export/bin/commonprobes, ...
^^
machines
The man page has the BNF specification of the allowed syntax. There are
examples at the bottom, and you may want to find a document on dead tree
or on the net explaining it differently.
> > Alternatively, you could enable your ssh user to perform those specific
> > tasks, without giving them full root provileges, but that's not ideal
> > security practice either.
>
> I've thought about this too. The only plus is that I could make it some
> obscure odd username that would be harder to guess than the ever so
> normal root. This would make it a little harder to hack (the bad way).
Security by obscurity... almost always a bad bet.
-- -eben ebQenW1@EtaRmpTabYayU.rIr.OcoPm home.tampabay.rr.com/hactar LIBRA: A big promotion is just around the corner for someone much more talented than you. Laughter is the very best medicine, remember that when your appendix bursts next week. -- Weird Al----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:02:39 EDT