[wplug-bsd] Root logins and public keys
Brandon Kuczenski
brandon at 301south.net
Sat Dec 3 19:26:46 EST 2005
[FreeBSD 5.3]
I recently learned about public-key authentication for ssh connections and
decided that it would be a swell way to solve the "root password" problem
on a box with a few administrators -- instead of them all knowing the root
password, they each have an rsa keypair, with the public componentss in
the /root/.ssh/authorized_keys file. An administrator would then login as
normal, and then instead of su'ing to root, he would ssh root at localhost
and use his passphrase.
This requires that ssh accept root logins. The PermitRootLogins setting
in /etc/sshd_config has a number of settings, including
'without-password', which disables passwords as a means of authenticating,
but still allows rsa keys. However, the ChallengeResponseAuthentication
setting, if set to 'yes', overrides the PermitRootLogins setting, and root
can still login from remote with a password. If I turn off
ChallengeResponseAuthentication, however, I'm afraid I will disable access
to all users who do not have rsa keys setup. If I remove root's login
password, root logins are disabled entirely -- from ssh or from the
console -- except for the case when the person attempting the login has an
rsa key pair.
This is the way my system is now configured: I have created a special rsa
key, put the public part into /root/.ssh/authorized_keys, modified my
~/.ssh/config to use the private part of that key for authentication as
root, enabled root logins via ssh, and removed root's login password.
Is there a way to allow root to still login with a password from the
console, but to continue using rsa keys for remote authentication? I have
two ideas: run two ssh daemons, one that only listens on localhost; or,
use the 'forced-commands-only' setting for PermitRootLogins, and somehow
setup the authorized_keys file so that run a normal login shell. Good
idea? Bad idea?
Also, is it dangerous to NOT have a root password?
Thanks,
Brandon
More information about the wplug-bsd
mailing list