ssh to root
Ruben de Groot
mail25 at bzerk.org
Thu Jan 21 07:46:24 UTC 2010
On Wed, Jan 20, 2010 at 11:09:14PM -0500, Steve Bertrand typed:
> Aryeh M. Friedman wrote:
> > I need to set up a machine so that I can type "ssh [host]" as root from
> > some other host and I get a prompt with super user privs... I already
> > have set this up for user at host for root and ssh host for normal users...
> > but root still asks for a password after I set the authorized_keys file
> > in ~root/.ssh.. I have looked at ssh_config(5) but can't tell what
> > option (if any) does this... if anyone is coruious the final goal here
> > is to set up a sysutils/fusefs-ssh for this host (already installed and
> > working for normal users but want to make it so it is done as root)
> Don't do it.
> *never* permit root-level access directly to *any* of your equipment.
This is not very helpfull.
In a private LAN these security mantras become a lot less obvious. You defend
the LAN, not necessarily the individual systems.
To Aryen: you might want to set PermitRootLogin to 'without-password' in
/etc/ssh/sshd_config. That way, password authentications for root are still
disabled and only users from machines with the correct private keys are allowed.
> You want to provide as many levels of escalation to root level as you
> can, no matter what protocol you are using.
> Auth in as a normal user (as you stated is already working), and then
> use sudo(8) to escalate yourself.
> If you can already "ssh [host]" as a normal user, then you already have
> the concept of keys.
> You can automate the escalation after you've authenticated, and then do
> what you want to do.
> ...don't do it.
> # pkg_add -r sudo
> # rehash
> # man sudo
> Then, when/if you have problems with specific functions that need root
> privileges, ask those questions here instead.
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions