ssh root denied
Sam C. Nicholson !!
scion at webrelay.net
Tue Apr 13 16:05:42 PDT 2004
Date: Tue, 13 Apr 2004 17:36:56 -0300 (EST)
From: <scuba at centroin.com.br>
>On Mon, 12 Apr 2004, Kevin D. Kinsey, DaleCo, S.P. wrote:
>
>|Root logins are disallowed by default on FreeBSD
>|for security reasons. The recommended approach
>|is to log on an account that is a member of the
>|"wheel" group, and su(1) to root when necessary
>|for administrative purposes while doing your routine
>|work under a less-privileged UID...
>
> But, what should be te correct approach when you want to copy
>root's files and/or remote execute programs as root with scripts using
>scp/ssh and key authentication?
>Like:
>
> scp master.passwd host2:/etc/
> or
> ssh host2 'pwd_mkdb -p /etc/master.passwd'
>
>
>- Marcelo
To allow user fred to execute an arbitrary program, say ndc on a remote system:
1) allow fred to ssh with (and only with) [rd]sa keys, so that this works.
fred at homesys> ssh remotesys echo foo
foo
fred at homesys>
2) on remotesys add the following to /whatever/etc/sudoers with "sudo visudo"
fred ALL = NOPASSWD:/usr/sbin/ndc
3) verify with
fred at homesys> ssh remotesys sudo /usr/sbin/ndc restart
Options:
You can, if you feel the need, set fred's local ssh key to require a password.
Sudoers can be set to allow only a particular set of options to command.
For that, I create pseudo users for particular classes of tasks.
I haven't used su since I found sudo. I've not logged in as root, save in a
grave emergency in 7-8 years. I've a CD which contains all the .ssh/auth_keys,
etc, and use it after installing a machine, and before plugging it in the net.
More information about the freebsd-questions
mailing list