Date: Fri, 7 Jul 2000 00:10:39 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: Nick Slager <nicks@albury.net.au> Cc: questions@FreeBSD.ORG Subject: Re: Root logins with ssh Message-ID: <20000707001038.G682@dialin-client.earthlink.net> In-Reply-To: <20000707161827.A51081@albury.net.au>; from nicks@albury.net.au on Fri, Jul 07, 2000 at 04:18:28PM %2B1000 References: <20000707161827.A51081@albury.net.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jul 07, 2000 at 04:18:28PM +1000, Nick Slager wrote: > Obviously it's bad to permit root logins with ssh. However, from the sshd(8) > manpage: > > PermitRootLogin > Specifies whether the root can log in using ssh(1). The argument > must be ``yes'', ``without-password'' or ``no''. The default is > ``yes''. If this options is set to ``without-password'' only > password authentication is disabled for root. > > > Root login with RSA authentication when the command option has > been specified will be allowed regardless of the value of this > setting (which may be useful for taking remote backups even if > root login is normally not allowed). > > It's that last paragraph that interests me. I want to keep PermitRootLogin set > to 'no' in sshd_config, but allow root logins for backups with rsync/ssh. I > can't seem to "make it so", though. > > I'm running openssh 2.1.1 (from the base system with 4.0-STABLE). Using SSH2 > protocol with DSA keys, although it doesn't seem to work with SSH1 and RSA, > either. > > Has anyone managed to do this? Pointers appreciated. Never done it with DSA keys. Done it with RSA keys. 1) Make a private/public keypair with no passphrase using ssh-keygen on the client. 2) Put the public key in /root/.ssh/authorized_keys[0] on server. 3) You now can ssh into the server from the client. You may want to use the '-i' option at the client if the identity key for this purpose is not the default one. [0] This is not all that secure. If someone can get the private key that's on the client, they have root on the server. For a tiny bit more security, I use a 'from=' specification in the authorized_keys file (these options are described in sshd(8)). That key is only good from that machine (or a machine that can successfully spoof TCP to the server). -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000707001038.G682>