Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 13 Apr 2004 19:05:41 -0400
From:      "Sam C. Nicholson !!" <scion@webrelay.net>
To:        scuba@centroin.com.br
Cc:        scion@nimbus.webrelay.net
Subject:   Re: ssh root denied 
Message-ID:  <20040413230541.777BF38026@nimbus.webrelay.net>
In-Reply-To: Your message of "Tue, 13 Apr 2004 17:36:56 -0300." <Pine.BSI.4.33.0404131729400.3880-100000@hypselo.centroin.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help 
Date: Tue, 13 Apr 2004 17:36:56 -0300 (EST)
From: <scuba@centroin.com.br>

>On Mon, 12 Apr 2004, Kevin D. Kinsey, DaleCo, S.P. wrote:
>
>|Root logins are disallowed by default on FreeBSD
>|for security reasons.  The recommended approach
>|is to log on an account that is a member of the
>|"wheel" group, and su(1) to root when necessary
>|for administrative purposes while doing your routine
>|work under a less-privileged UID...
>
>	But, what should be te correct approach when you want to copy
>root's files and/or remote execute programs as root with scripts using
>scp/ssh and key authentication?
>Like:
>
>	scp master.passwd host2:/etc/
>	or
>	ssh host2 'pwd_mkdb -p /etc/master.passwd'
>
>
>- Marcelo

To allow user fred to execute an arbitrary program, say ndc on a remote system:

1) allow fred to ssh with (and only with) [rd]sa keys, so that this works.

fred@homesys> ssh remotesys echo foo
foo
fred@homesys> 

2) on remotesys add the following to /whatever/etc/sudoers with "sudo visudo"

	fred  ALL = NOPASSWD:/usr/sbin/ndc

3) verify with

fred@homesys> ssh remotesys sudo /usr/sbin/ndc restart

Options:
You can, if you feel the need, set fred's local ssh key to require a password.
Sudoers can be set to allow only a particular set of options to command.
For that, I create pseudo users for particular classes of tasks.

I haven't used su since I found sudo.  I've not logged in as root, save in a 
grave emergency in 7-8 years.  I've a CD which contains all the .ssh/auth_keys,
etc, and use it after installing a machine, and before plugging it in the net.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040413230541.777BF38026>