From owner-freebsd-questions Fri Jul 7 0:12:19 2000 Delivered-To: freebsd-questions@freebsd.org Received: from emu.prod.itd.earthlink.net (emu.prod.itd.earthlink.net [207.217.121.31]) by hub.freebsd.org (Postfix) with ESMTP id 5B95337BDAA for ; Fri, 7 Jul 2000 00:12:17 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from dialin-client.earthlink.net (pool0278.cvx21-bradley.dialup.earthlink.net [209.179.193.23]) by emu.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with ESMTP id AAA29377; Fri, 7 Jul 2000 00:12:15 -0700 (PDT) Received: (from cjc@localhost) by dialin-client.earthlink.net (8.9.3/8.9.3) id AAA01158; Fri, 7 Jul 2000 00:10:40 -0700 (PDT) Date: Fri, 7 Jul 2000 00:10:39 -0700 From: "Crist J. Clark" To: Nick Slager Cc: questions@FreeBSD.ORG Subject: Re: Root logins with ssh Message-ID: <20000707001038.G682@dialin-client.earthlink.net> Reply-To: cjclark@alum.mit.edu References: <20000707161827.A51081@albury.net.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20000707161827.A51081@albury.net.au>; from nicks@albury.net.au on Fri, Jul 07, 2000 at 04:18:28PM +1000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, Jul 07, 2000 at 04:18:28PM +1000, Nick Slager wrote: > Obviously it's bad to permit root logins with ssh. However, from the sshd(8) > manpage: > > PermitRootLogin > Specifies whether the root can log in using ssh(1). The argument > must be ``yes'', ``without-password'' or ``no''. The default is > ``yes''. If this options is set to ``without-password'' only > password authentication is disabled for root. > > > Root login with RSA authentication when the command option has > been specified will be allowed regardless of the value of this > setting (which may be useful for taking remote backups even if > root login is normally not allowed). > > It's that last paragraph that interests me. I want to keep PermitRootLogin set > to 'no' in sshd_config, but allow root logins for backups with rsync/ssh. I > can't seem to "make it so", though. > > I'm running openssh 2.1.1 (from the base system with 4.0-STABLE). Using SSH2 > protocol with DSA keys, although it doesn't seem to work with SSH1 and RSA, > either. > > Has anyone managed to do this? Pointers appreciated. Never done it with DSA keys. Done it with RSA keys. 1) Make a private/public keypair with no passphrase using ssh-keygen on the client. 2) Put the public key in /root/.ssh/authorized_keys[0] on server. 3) You now can ssh into the server from the client. You may want to use the '-i' option at the client if the identity key for this purpose is not the default one. [0] This is not all that secure. If someone can get the private key that's on the client, they have root on the server. For a tiny bit more security, I use a 'from=' specification in the authorized_keys file (these options are described in sshd(8)). That key is only good from that machine (or a machine that can successfully spoof TCP to the server). -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message