1 |
Peter Abrahamsen wrote: |
2 |
> On 10/12/06, Kalin KOZHUHAROV <kalin@××××××××.net> wrote: |
3 |
>> How do you permit key-only for non-root users?? |
4 |
> |
5 |
> PasswordAuthentication no |
6 |
> ChallengeResponseAuthentication no |
7 |
> |
8 |
> it's in the inline docs in sshd_config. |
9 |
> |
10 |
|
11 |
Oookey! Now I saw it. |
12 |
|
13 |
I was trying a few times to disable that but for some reason or another |
14 |
I failed, so I concluded that this is an option only for the root |
15 |
login... and for the last 3 years I didn't even bother looking into it. |
16 |
|
17 |
I generally use several approaches: |
18 |
|
19 |
1. `ssh root@server` |
20 |
Mostly used when I run a command on a few servers, like: |
21 |
for s in $SERVERS; do ssh $s "gensync pkalin &"; done |
22 |
|
23 |
2. `ssh user@server`, then `su -` |
24 |
Mostly for specific administrative tasks or researching things like |
25 |
logs, etc. |
26 |
|
27 |
3. `ssh user@server`, then `sudo command` |
28 |
Mostly for single commands, specific for a server interspersed with |
29 |
many user-possible commands; most common commands are set with |
30 |
NOPASSWD, like: |
31 |
user ALL = NOPASSWD: /bin/dmesg -c |
32 |
|
33 |
So it all depends on the case. |
34 |
|
35 |
#1 is most unsecure as it all relies on keeping your private key secret |
36 |
|
37 |
#3 is most appropriate as long as accounting is concerned (you can see |
38 |
who did what in the logs); it also sandboxes you in a way by aloowing |
39 |
only certain things |
40 |
|
41 |
You can play with setting expiry time on the sudo (see |
42 |
timestamp_timeout), using keychain to remember password protected |
43 |
private keys, etc. to finetune your options. |
44 |
|
45 |
Just my 2 yen, |
46 |
|
47 |
Kalin. |
48 |
|
49 |
-- |
50 |
|[ ~~~~~~~~~~~~~~~~~~~~~~ ]| |
51 |
+-> http://ThinRope.net/ <-+ |
52 |
|[ ______________________ ]| |
53 |
|
54 |
-- |
55 |
gentoo-server@g.o mailing list |