[wplug-bsd] Root logins and public keys

Brian A. Seklecki lavalamp at spiritual-machines.org
Sat Dec 3 20:04:22 EST 2005 

Yes, very dangerous.  Use sudo(8) instead.  It's in Ports.  You can
permit users's in Wheel to run commands as root w/o having to enter
their password; or, many other policies.

RSA/DSA key authentication is best used *with passphrases* in
environments with a large number of machines.  Users on their starting
workstation use ssh-agent(1) add ssh-add(1) to unlock their private
key.  They can then ssh(1) to groups of different machines which
permit/authorize that user's public key.

~BAS

On Sat, 2005-12-03 at 19:26, Brandon Kuczenski wrote:
> [FreeBSD 5.3]
> 
> I recently learned about public-key authentication for ssh connections and 
> decided that it would be a swell way to solve the "root password" problem 
> on a box with a few administrators -- instead of them all knowing the root 
> password, they each have an rsa keypair, with the public componentss in 
> the /root/.ssh/authorized_keys file.  An administrator would then login as 
> normal, and then instead of su'ing to root, he would ssh root at localhost 
> and use his passphrase.
> 
> This requires that ssh accept root logins.  The PermitRootLogins setting 
> in /etc/sshd_config has a number of settings, including 
> 'without-password', which disables passwords as a means of authenticating, 
> but still allows rsa keys.  However, the ChallengeResponseAuthentication 
> setting, if set to 'yes', overrides the PermitRootLogins setting, and root 
> can still login from remote with a password.  If I turn off 
> ChallengeResponseAuthentication, however, I'm afraid I will disable access 
> to all users who do not have rsa keys setup.  If I remove root's login 
> password, root logins are disabled entirely -- from ssh or from the 
> console -- except for the case when the person attempting the login has an 
> rsa key pair.
> 
> This is the way my system is now configured: I have created a special rsa 
> key, put the public part into /root/.ssh/authorized_keys, modified my 
> ~/.ssh/config to use the private part of that key for authentication as 
> root, enabled root logins via ssh, and removed root's login password.
> 
> Is there a way to allow root to still login with a password from the 
> console, but to continue using rsa keys for remote authentication?  I have 
> two ideas: run two ssh daemons, one that only listens on localhost; or, 
> use the 'forced-commands-only' setting for PermitRootLogins, and somehow 
> setup the authorized_keys file so that run a normal login shell.  Good 
> idea? Bad idea?
> 
> Also, is it dangerous to NOT have a root password?
> 
> Thanks,
> Brandon
> 
> _______________________________________________
> wplug-bsd mailing list
> wplug-bsd at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug-bsd

More information about the wplug-bsd mailing list