From owner-freebsd-questions@FreeBSD.ORG Tue Apr 13 16:05:42 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A272A16A4CE for ; Tue, 13 Apr 2004 16:05:42 -0700 (PDT) Received: from nimbus.webrelay.net (nimbus.webrelay.net [66.243.72.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E33443D39 for ; Tue, 13 Apr 2004 16:05:42 -0700 (PDT) (envelope-from scion@webrelay.net) Received: from webrelay.net (localhost [127.0.0.1]) by nimbus.webrelay.net (Postfix) with ESMTP id 777BF38026; Tue, 13 Apr 2004 19:05:41 -0400 (EDT) To: scuba@centroin.com.br In-reply-to: Your message of "Tue, 13 Apr 2004 17:36:56 -0300." Date: Tue, 13 Apr 2004 19:05:41 -0400 From: "Sam C. Nicholson !!" Message-Id: <20040413230541.777BF38026@nimbus.webrelay.net> cc: freebsd-questions@freebsd.org cc: scion@nimbus.webrelay.net Subject: Re: ssh root denied X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Apr 2004 23:05:42 -0000 Date: Tue, 13 Apr 2004 17:36:56 -0300 (EST) From: >On Mon, 12 Apr 2004, Kevin D. Kinsey, DaleCo, S.P. wrote: > >|Root logins are disallowed by default on FreeBSD >|for security reasons. The recommended approach >|is to log on an account that is a member of the >|"wheel" group, and su(1) to root when necessary >|for administrative purposes while doing your routine >|work under a less-privileged UID... > > But, what should be te correct approach when you want to copy >root's files and/or remote execute programs as root with scripts using >scp/ssh and key authentication? >Like: > > scp master.passwd host2:/etc/ > or > ssh host2 'pwd_mkdb -p /etc/master.passwd' > > >- Marcelo To allow user fred to execute an arbitrary program, say ndc on a remote system: 1) allow fred to ssh with (and only with) [rd]sa keys, so that this works. fred@homesys> ssh remotesys echo foo foo fred@homesys> 2) on remotesys add the following to /whatever/etc/sudoers with "sudo visudo" fred ALL = NOPASSWD:/usr/sbin/ndc 3) verify with fred@homesys> ssh remotesys sudo /usr/sbin/ndc restart Options: You can, if you feel the need, set fred's local ssh key to require a password. Sudoers can be set to allow only a particular set of options to command. For that, I create pseudo users for particular classes of tasks. I haven't used su since I found sudo. I've not logged in as root, save in a grave emergency in 7-8 years. I've a CD which contains all the .ssh/auth_keys, etc, and use it after installing a machine, and before plugging it in the net.