| 1 |
Peter Abrahamsen wrote: |
| 2 |
> On 10/12/06, Kalin KOZHUHAROV <kalin@××××××××.net> wrote: |
| 3 |
>> How do you permit key-only for non-root users?? |
| 4 |
> |
| 5 |
> PasswordAuthentication no |
| 6 |
> ChallengeResponseAuthentication no |
| 7 |
> |
| 8 |
> it's in the inline docs in sshd_config. |
| 9 |
> |
| 10 |
|
| 11 |
Oookey! Now I saw it. |
| 12 |
|
| 13 |
I was trying a few times to disable that but for some reason or another |
| 14 |
I failed, so I concluded that this is an option only for the root |
| 15 |
login... and for the last 3 years I didn't even bother looking into it. |
| 16 |
|
| 17 |
I generally use several approaches: |
| 18 |
|
| 19 |
1. `ssh root@server` |
| 20 |
Mostly used when I run a command on a few servers, like: |
| 21 |
for s in $SERVERS; do ssh $s "gensync pkalin &"; done |
| 22 |
|
| 23 |
2. `ssh user@server`, then `su -` |
| 24 |
Mostly for specific administrative tasks or researching things like |
| 25 |
logs, etc. |
| 26 |
|
| 27 |
3. `ssh user@server`, then `sudo command` |
| 28 |
Mostly for single commands, specific for a server interspersed with |
| 29 |
many user-possible commands; most common commands are set with |
| 30 |
NOPASSWD, like: |
| 31 |
user ALL = NOPASSWD: /bin/dmesg -c |
| 32 |
|
| 33 |
So it all depends on the case. |
| 34 |
|
| 35 |
#1 is most unsecure as it all relies on keeping your private key secret |
| 36 |
|
| 37 |
#3 is most appropriate as long as accounting is concerned (you can see |
| 38 |
who did what in the logs); it also sandboxes you in a way by aloowing |
| 39 |
only certain things |
| 40 |
|
| 41 |
You can play with setting expiry time on the sudo (see |
| 42 |
timestamp_timeout), using keychain to remember password protected |
| 43 |
private keys, etc. to finetune your options. |
| 44 |
|
| 45 |
Just my 2 yen, |
| 46 |
|
| 47 |
Kalin. |
| 48 |
|
| 49 |
-- |
| 50 |
|[ ~~~~~~~~~~~~~~~~~~~~~~ ]| |
| 51 |
+-> http://ThinRope.net/ <-+ |
| 52 |
|[ ______________________ ]| |
| 53 |
|
| 54 |
-- |
| 55 |
gentoo-server@g.o mailing list |
Archives