comp.os.linux.networking
back to index
From: Ignoramus10392
Date: Monday, April 07, 2008 2:03 PM
Subject: Re: How to PREVENT a user from logging in through SSH
On 2008-04-07, Todd H.
> Ignoramus10392
>
>>> You did not understand him. Disallow root logins. Then you can get in as
>>> yourself and then su or sudo to root.
>>
>> automatically from a script?
>
> That's an orthogonal question to the whole ssh discussion if your
> script is executing on the local box.
>
> If you need to remotely do things on another box logging in a root
> with ssh and avoiding any password entry, doing public key auth to a
> role account (e.g. myscriptrunner as an account name) and then
> configuring sudo to allow the user myscriptrunner to run whatever
> command you need without entering the root password in /etc/sudoers is
> the way to go. Then as myscriptrunner the script would invoke sudo
> /usr/bin/whatever to run as root.
Yes, I need to do it remotely. What I do is I first update the zone
files with cvs update (as regular user), and then I sighup the
nameserver as root.
I think that your idea is good, however:
The problem is that, even without root logon, hacking my personal
account means inevitable root access, because root runs my scripts. So
the value of isolating those root commands, is very limited.
i
>>> If you put yourself into the sudo list then you could do a
>>> passwordless root login to yourself, and run the script which has a
>>> sudo in it to allow root to do the things it needs to do. You can
>>> also make sure that sudo only allows a few commands to be done in
>>> that way.
>>
>> I guess I was mistaken, but I thought that both sudo and su require me
>> to enter some kind of password (mine or root's). Is that wrong?
>
> You'll need to modify the sudo config file /etc/sudoers if you want to
> disable the need for an interactive user to type the root password
> when using sudo.
>
> man 5 sudoers
>
> Tag_Spec ::= ('NOPASSWD:'
>
> will be of particular interest, but you'll want to limit being able to
> run that way down to the specific command or commands your absolutely
> must be able to sudo rather than saying "yeah this user can do
> whatever as root with out a password."
>
