ssh root denied

Sam C. Nicholson !! scion at
Tue Apr 13 16:05:42 PDT 2004

Date: Tue, 13 Apr 2004 17:36:56 -0300 (EST)
From: <scuba at>

>On Mon, 12 Apr 2004, Kevin D. Kinsey, DaleCo, S.P. wrote:
>|Root logins are disallowed by default on FreeBSD
>|for security reasons.  The recommended approach
>|is to log on an account that is a member of the
>|"wheel" group, and su(1) to root when necessary
>|for administrative purposes while doing your routine
>|work under a less-privileged UID...
>	But, what should be te correct approach when you want to copy
>root's files and/or remote execute programs as root with scripts using
>scp/ssh and key authentication?
>	scp master.passwd host2:/etc/
>	or
>	ssh host2 'pwd_mkdb -p /etc/master.passwd'
>- Marcelo

To allow user fred to execute an arbitrary program, say ndc on a remote system:

1) allow fred to ssh with (and only with) [rd]sa keys, so that this works.

fred at homesys> ssh remotesys echo foo
fred at homesys> 

2) on remotesys add the following to /whatever/etc/sudoers with "sudo visudo"

	fred  ALL = NOPASSWD:/usr/sbin/ndc

3) verify with

fred at homesys> ssh remotesys sudo /usr/sbin/ndc restart

You can, if you feel the need, set fred's local ssh key to require a password.
Sudoers can be set to allow only a particular set of options to command.
For that, I create pseudo users for particular classes of tasks.

I haven't used su since I found sudo.  I've not logged in as root, save in a 
grave emergency in 7-8 years.  I've a CD which contains all the .ssh/auth_keys,
etc, and use it after installing a machine, and before plugging it in the net.

More information about the freebsd-questions mailing list