RE: remote ssh for root

daniel.engelsen_at_caremark.com
Date: 05/18/05

  • Next message: Ryan Barrett: "workarounds for Host param not canonicalizing?"
    To: Mark Senior <Mark.Senior@gov.ab.ca>
    Date: Wed, 18 May 2005 08:25:15 -0700
    
    

    This does not seem to work either. Per the man page, with the
    forced-commands-only option set, you have to have the command option set.
    Also, if you sue that key it executes what is specified in the command
    option. Thanks for the effort though. It just appears that ssh does not
    have the capability to prevent an actual login, but allow remote command
    execution as root.

    Thanks,
    Dan

                                                                                                                                       
                  Mark Senior
                  <Mark.Senior@gov.ab.ca> To: Daniel Engelsen/PCSHS@PCSHS
                                                      cc: secureshell@securityfocus.com
                  05/10/2005 07:58 AM Subject: RE: remote ssh for root
                                                                                                                                       
                                                                                                                                       

    Sure - just don't specify any 'command' limits, only 'from' limits.

    Like I said, it's optional to apply limits at all - the default is
    always to allow everything.

    Mark

    > -----Original Message-----
    > From: daniel.engelsen@caremark.com
    > [mailto:daniel.engelsen@caremark.com]
    > Sent: May 9, 2005 09:46
    > To: Mark Senior
    > Cc: secureshell@securityfocus.com
    > Subject: RE: remote ssh for root
    >
    >
    > I was playing around with that, but I really don't want to
    > limit the commands that may be run as root from this trusted
    > host. Is there a way to say ALL commands like there is in sudo?
    >
    > Thanks,
    > Dan
    >
    >
    >
    >
    > Mark Senior
    >
    > <Mark.Senior@gov.ab.ca> To:
    > Daniel Engelsen/PCSHS@PCSHS
    > cc:
    > secureshell@securityfocus.com
    > 05/09/2005 08:32 AM Subject:
    > RE: remote ssh for root
    >
    >
    >
    >
    >
    >
    >
    > OK, I see what you mean. How about this - don't know if it
    > exactly meets what you need, but it should get you close:
    >
    > If you're using the openssh 4 ssh server (and this is likely
    > present in earlier versions, I haven't checked), set
    > PermitRootLogin to "forced-commands-only". This allows root
    > login with public key authentication only, and only when a
    > specific command has been specified for execution.
    >
    > Then, make a keypair for root, and put the private key only
    > on the one trusted admin box (with appropriate. Add to the
    > start of the relevant line in .ssh/authorized_keys2 file the
    > limitation:
    > from="trustedhost.my.domain"
    >
    > Optionally, you can apply other limits to the use of the key
    > you've created. For example, limit the command(s) that can
    > be run with that key, by adding command="/path/to/command"
    > to the start of the relevant line of root's .ssh/authorized_keys2 file
    >
    > see the section AUTHORIZED_KEYS FILE FORMAT in the sshd
    > manpage for the list of possibilities.
    >
    > Hope that helps
    > Mark
    >
    > > -----Original Message-----
    > > From: daniel.engelsen
    > > Sent: May 9, 2005 08:51
    > > To: Mark Senior
    > > Subject: RE: remote ssh for root
    > >
    > >
    > > I want to have one host that is trusted by the many hosts.
    > > From this host, I want to be able to perform a remote ssh
    > to the many
    > > boxes as root; however, I do not want to allow direct root login on
    > > any of the servers.
    > > If you want to be root, I want the user to have to su to
    > the root id.
    > > Also, I do not want to limit what comamnds I can run as
    > root on these
    > > boxes from this trusted host.
    > >
    > > Thanks,
    > > Dan
    > >
    > >
    > >
    > > Mark Senior
    > > To: Daniel Engelsen
    > > Subject: RE: remote ssh for root
    > >
    > >
    > >
    > > I'm sorry, could you clarify what you mean exactly? I'm
    > not sure what
    > > you mean, to ssh as root, without logging in as root via ssh.
    > >
    > > I suppose just using su or sudo wouldn't cut it?
    > >
    > > Thanks
    > > Mark
    > >
    > >
    > >
    > > > -----Original Message-----
    > > > From: daniel.engelsen
    > > > Sent: May 6, 2005 10:22
    > > > To: secureshell@securityfocus.com
    > > > Subject: remote ssh for root
    > > >
    > > > I would like to setup a trusted host that utilizes ssh;
    > > however, I do
    > > > not want root to be loginable. If I set PermitRootLogin to
    > > no, then
    > > > the remote ssh function stops as well. Does anyone know of
    > > a way to
    > > > be able to do remote ssh's as root without allowing root to
    > > be able to
    > > > login?
    > > >
    > > > I am using AIX versions 5.1, 5.2, and 5.3, and we are running ssh
    > > > versions
    > > > 3.6 and 3.8.
    > > >
    > > > Any ideas would be greatly appreciated.
    > > >
    > > > Thanks,
    > > >
    > > >
    > > >
    > >
    >
    > This email and any files transmitted with it are confidential
    > and intended solely for the use of the individual or entity
    > to whom they are addressed.
    > If you have received this email in error please notify the
    > system manager.
    > This message contains confidential information and is
    > intended only for the individual named. If you are not the
    > named addressee you should not disseminate, distribute or
    > copy this e-mail.
    >
    >
    > This email and any files transmitted with it are confidential
    > and intended solely for the use of the individual or entity
    > to whom they are addressed.
    > If you have received this email in error please notify the
    > system manager.
    > This message contains confidential information and is
    > intended only for the individual named. If you are not the
    > named addressee you should not disseminate, distribute or
    > copy this e-mail.
    >
    >
    >
    >
    >

    This email and any files transmitted with it are confidential and intended
    solely for the use of the individual or entity to whom they are addressed.
    If you have received this email in error please notify the system manager.
    This message contains confidential information and is intended only for the
    individual named. If you are not the named addressee you should not
    disseminate, distribute or copy this e-mail.

    This email and any files transmitted with it are confidential and intended
    solely for the use of the individual or entity to whom they are addressed.
    If you have received this email in error please notify the system manager.
    This message contains confidential information and is intended only for the
    individual named. If you are not the named addressee you should not
    disseminate, distribute or copy this e-mail.


  • Next message: Ryan Barrett: "workarounds for Host param not canonicalizing?"

    Relevant Pages

    • Re: Apple recommending anti-virus software for Macs?
      ... > To be ultra-safe with the 'rm' command, ... Not a bad idea for root, It would drive me nuts in my user account. ... downloads directory and executing it. ... That I type an EOF is a trivial difference versus 'sudo' exiting ...
      (comp.sys.mac.system)
    • Re: [ squeeze ] Grub2 RAID1 LVM2 boot failure
      ... insmod mdraid ... That UUID it's not the same that grub will use for boot. ... the `root` partition from the point of view of grub is the partition ... BTW this command is undocummented in the wiki, ...
      (Debian-User)
    • Re: [opensuse] su - -c $command user ???
      ... I'd like to calculate a command-string as root and pass it with su ... into the context of a unprivileged user to run the command not as ... Basically I need to know $d after the daemonuser created and filled ... Note the echo isn't really going to be a fully valuable ...
      (SuSE)
    • Re: System-users and-groups?
      ... bin shouldn't do so much. ... was root and bin... ... Although the daemon user/group are ... as that user runs that command. ...
      (alt.linux)
    • RE: how to remove ^M character from every line
      ... how to remove ^M character from every line ... Now in the perl script how can I remove ^M without running the command ... This e-mail may contain confidential information. ... Any opinion expressed in this e-mail is personal to the sender ...
      (perl.beginners)