RE: remote ssh for root

From: Mark Senior (Mark.Senior_at_gov.ab.ca)
Date: 05/09/05

  • Next message: Stephen Cooke (KN): "RE: Binding ssh to a loopback address"
    Date: Mon, 9 May 2005 09:32:56 -0600
    To: <daniel.engelsen@caremark.com>
    
    

    OK, I see what you mean. How about this - don't know if it exactly
    meets what you need, but it should get you close:

    If you're using the openssh 4 ssh server (and this is likely present in
    earlier versions, I haven't checked), set PermitRootLogin to
    "forced-commands-only". This allows root login with public key
    authentication only, and only when a specific command has been specified
    for execution.

    Then, make a keypair for root, and put the private key only on the one
    trusted admin box (with appropriate. Add to the start of the relevant
    line in .ssh/authorized_keys2 file the limitation:
    from="trustedhost.my.domain"

    Optionally, you can apply other limits to the use of the key you've
    created. For example, limit the command(s) that can be run with that
    key, by adding
    command="/path/to/command"
    to the start of the relevant line of root's .ssh/authorized_keys2 file

    see the section AUTHORIZED_KEYS FILE FORMAT in the sshd manpage for the
    list of possibilities.

    Hope that helps
    Mark

    > -----Original Message-----
    > From: daniel.engelsen
    > Sent: May 9, 2005 08:51
    > To: Mark Senior
    > Subject: RE: remote ssh for root
    >
    >
    > I want to have one host that is trusted by the many hosts.
    > From this host, I want to be able to perform a remote ssh to
    > the many boxes as root; however, I do not want to allow
    > direct root login on any of the servers.
    > If you want to be root, I want the user to have to su to the root id.
    > Also, I do not want to limit what comamnds I can run as root
    > on these boxes from this trusted host.
    >
    > Thanks,
    > Dan
    >
    >
    >
    > Mark Senior
    > To: Daniel Engelsen
    > Subject: RE: remote ssh for root
    >
    >
    >
    > I'm sorry, could you clarify what you mean exactly? I'm not
    > sure what you mean, to ssh as root, without logging in as
    > root via ssh.
    >
    > I suppose just using su or sudo wouldn't cut it?
    >
    > Thanks
    > Mark
    >
    >
    >
    > > -----Original Message-----
    > > From: daniel.engelsen
    > > Sent: May 6, 2005 10:22
    > > To: secureshell@securityfocus.com
    > > Subject: remote ssh for root
    > >
    > > I would like to setup a trusted host that utilizes ssh;
    > however, I do
    > > not want root to be loginable. If I set PermitRootLogin to
    > no, then
    > > the remote ssh function stops as well. Does anyone know of
    > a way to
    > > be able to do remote ssh's as root without allowing root to
    > be able to
    > > login?
    > >
    > > I am using AIX versions 5.1, 5.2, and 5.3, and we are running ssh
    > > versions
    > > 3.6 and 3.8.
    > >
    > > Any ideas would be greatly appreciated.
    > >
    > > Thanks,
    > >
    > >
    > >
    >

    This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.

    This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.


  • Next message: Stephen Cooke (KN): "RE: Binding ssh to a loopback address"

    Relevant Pages

    • Re: I am having serious difficulty getting host based authenication working with ssh
      ... localhost and then think about host to host? ... [root@mandrake root]# echo "IgnoreRhosts no ... the server I was going to ssh into using ... RedHat servers tend to come with sshd already up and running by default. ...
      (SSH)
    • RE: Linux hacked
      ... Also, what exactly did the history file show, can you paste it into a mail ... > First let me say I'm a security novice. ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
      (Security-Basics)
    • Re: How can I configure to run as root all the time ?
      ... Thanks for responding to my query related to SSH. ... NCP1 is a host with some defined IP address like 10.1.1.201. ... I want to run ssh/scp as root because the keys will be generated by ...
      (comp.security.ssh)
    • Re: Linux hacked
      ... To find out what kernel version you are running, type "uname -a" without ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
      (Security-Basics)
    • Re: X11Forwarding, ssh -X, and /bin/su
      ... ]>but I'm not really tunneled using ssh then, ... ]connecting to the X server and have the home directory NFS-mounted ... ](unless you leave root unmapped over NFS, ... ]root-readable place and set the environment $XAUTHORITY variable ...
      (comp.security.ssh)