[wplug-bsd] Root logins and public keys
Brian A. Seklecki
lavalamp at spiritual-machines.org
Sat Dec 3 20:04:22 EST 2005
Yes, very dangerous. Use sudo(8) instead. It's in Ports. You can
permit users's in Wheel to run commands as root w/o having to enter
their password; or, many other policies.
RSA/DSA key authentication is best used *with passphrases* in
environments with a large number of machines. Users on their starting
workstation use ssh-agent(1) add ssh-add(1) to unlock their private
key. They can then ssh(1) to groups of different machines which
permit/authorize that user's public key.
~BAS
On Sat, 2005-12-03 at 19:26, Brandon Kuczenski wrote:
> [FreeBSD 5.3]
>
> I recently learned about public-key authentication for ssh connections and
> decided that it would be a swell way to solve the "root password" problem
> on a box with a few administrators -- instead of them all knowing the root
> password, they each have an rsa keypair, with the public componentss in
> the /root/.ssh/authorized_keys file. An administrator would then login as
> normal, and then instead of su'ing to root, he would ssh root at localhost
> and use his passphrase.
>
> This requires that ssh accept root logins. The PermitRootLogins setting
> in /etc/sshd_config has a number of settings, including
> 'without-password', which disables passwords as a means of authenticating,
> but still allows rsa keys. However, the ChallengeResponseAuthentication
> setting, if set to 'yes', overrides the PermitRootLogins setting, and root
> can still login from remote with a password. If I turn off
> ChallengeResponseAuthentication, however, I'm afraid I will disable access
> to all users who do not have rsa keys setup. If I remove root's login
> password, root logins are disabled entirely -- from ssh or from the
> console -- except for the case when the person attempting the login has an
> rsa key pair.
>
> This is the way my system is now configured: I have created a special rsa
> key, put the public part into /root/.ssh/authorized_keys, modified my
> ~/.ssh/config to use the private part of that key for authentication as
> root, enabled root logins via ssh, and removed root's login password.
>
> Is there a way to allow root to still login with a password from the
> console, but to continue using rsa keys for remote authentication? I have
> two ideas: run two ssh daemons, one that only listens on localhost; or,
> use the 'forced-commands-only' setting for PermitRootLogins, and somehow
> setup the authorized_keys file so that run a normal login shell. Good
> idea? Bad idea?
>
> Also, is it dangerous to NOT have a root password?
>
> Thanks,
> Brandon
>
> _______________________________________________
> wplug-bsd mailing list
> wplug-bsd at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug-bsd
More information about the wplug-bsd
mailing list