[NBLUG/talk] Root and SSH questions..

Steve Johnson srj at adnd.com
Wed Sep 17 18:23:00 PDT 2003


This is exactly what I'm going to do, thanks Eric =) You're the man! =)

-Steve


Eric Eisenhart wrote:
> On Wed, Sep 17, 2003 at 04:14:39PM -0700, E Frank Ball wrote:
> 
>>I'd go ahead and allow root login via ssh, but turn off passwords:
>>
>># To disable tunneled clear text passwords, change to no here!
>>PasswordAuthentication no
>>
>>And only allow ssh key pairs for logging in.
> 
> 
> That'd turn off password authentication for everybody, not just root; which
> may not be feasible.
> 
> Better:
> 
> PermitRootLogin without-password
> 
> Which would leave the rest alone, but allow only other methods (ssh keys)
> for login.
> 
> Best:
> PermitRootLogin forced-commands-only
> 
> Which would only allow root to run very specific commands based on which key
> is used.
> 
> Then in ~root/.ssh/authorized_keys, put something like this in front of the
> key:
> from="blah.example.com",command="rsync --server --sender -vlHogDtprxz --partial --delete-after . /"
> 
> For your first pass, leave out the command= part -- use "ps auxwww | grep
> [r]sync" to see what specific command is required for what you're doing,
> then allow just that one single command.
> 
> This will allow that key to work only from a specific location and only to
> execute that single task.  It raises the bar for an attacker by (a)
> requiring that they get an ssh key instead of just a password, (b) be able
> to run the command from that host (or compromise DNS or spoof IPs) or at the
> very least from inside your network and (c) be able to figure out how to do
> something nasty based on simply having a copy of your data instead of a root
> shell.





More information about the talk mailing list