| 1 |
On Thursday, 14 July 2022 17:32:07 CEST Grant Taylor wrote: |
| 2 |
> On 7/14/22 3:54 AM, J. Roeleveld wrote: |
| 3 |
> > For security reasons, I do not want direct login to root under any |
| 4 |
> > circumstances. This is disabled on all systems and will stay this way. |
| 5 |
> |
| 6 |
> +10 for security |
| 7 |
> |
| 8 |
> > Currently, to login as root, you need to know: |
| 9 |
> > - admin user account name |
| 10 |
> > - admin user account password |
| 11 |
> > - root user account password |
| 12 |
> |
| 13 |
> Please describe what an ideal scenario would be from a flow perspective, |
| 14 |
> independent of the underlying technology. |
| 15 |
|
| 16 |
What I am looking for is: |
| 17 |
1) Lookup credentials from password vault (I can do this in script-form, |
| 18 |
already doing this in limited form for ansible-scripts, but this doesn't give |
| 19 |
me an interactive shell) |
| 20 |
|
| 21 |
2) Use admin-account credentials to login via SSH into host |
| 22 |
|
| 23 |
3) On remote host, initiate "su -" to switch to root and provide root-password |
| 24 |
over SSH link at the right time |
| 25 |
|
| 26 |
4) Give me an interactive root-shell on remote-host |
| 27 |
|
| 28 |
When I close the shell, I expect to be fully logged out (eg, I go straight |
| 29 |
back to the local host, not to the admin-account) |
| 30 |
|
| 31 |
|
| 32 |
> > I do not want to reduce this to a single ssh-key-passphrase. |
| 33 |
> |
| 34 |
> Please elaborate as I suspect that the reasoning behind that statement |
| 35 |
> is quite germane to this larger discussion. |
| 36 |
|
| 37 |
I see plenty of google-results and also as answers for ssh directly to "root" |
| 38 |
using ssh-keys. I do not consider this a safe method, I use it for un- |
| 39 |
priviliges accounts (not member of "wheel"). I don't use it for admin- |
| 40 |
accounts. |
Archives