|
Home > Archive > Linux Debian support > October 2007 > Root only local, another user as root via SSH?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Root only local, another user as root via SSH?
|
|
| Noozer 2007-09-21, 1:14 pm |
| Debian etch machine here...
For security, I do not want the root user to be able to log into the
machine, execpt through the local keyboard.
I do a lot of administration to this machine via SSH, so I would like to
have a different user with the same privileges as root, but through SSH.
In other words:
root = local login only. No remote access through any services.
bob = local or SSH login. Has the same privileges as root.
Is this possible? Easy? A good idea? If so, how?
| |
| s. keeling 2007-09-21, 1:14 pm |
| Noozer <dont.spam@me.here>:
> Debian etch machine here...
>
> For security, I do not want the root user to be able to log into the
> machine, execpt through the local keyboard.
>
> I do a lot of administration to this machine via SSH, so I would like to
> have a different user with the same privileges as root, but through SSH.
>
> In other words:
> root = local login only. No remote access through any services.
> bob = local or SSH login. Has the same privileges as root.
>
> Is this possible? Easy? A good idea? If so, how?
Yes. Yes. Yes. With either su or sudo.
i) User (noozer) logs in, then "su -" and supplies root's password.
noozer becomes root. Do what you need to do then "exit" and you're
noozer again.
ii) "su -c command". Supply root's password, single command executes,
and you're still noozer.
iii) Check out /etc/sudoers for any stupidness, then "sudo command".
iv) While noozer is logged in AND su-ing to root, root can then su to
any other user, no password required.
v) "ssh -l root machine command" won't work if you've
PermitRootlogins=no in /etc/ssh/sshd_config (working from memory, so
verify), which would be a good thing (no remote root logins; all root
access via su or sudo).
Sudo logs sudoed commands, btw. syslog reports who su-s to root.
--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://blinkynet.net/comp/uip5.html Linux Counter #80292
- - http://www.faqs.org/rfcs/rfc1855.html Please, don't Cc: me.
| |
| Anton Ertl 2007-09-21, 1:14 pm |
| "Noozer" <dont.spam@me.here> writes:
>In other words:
> root = local login only. No remote access through any services.
> bob = local or SSH login. Has the same privileges as root.
>
>Is this possible?
I think so.
> Easy?
I think so.
> A good idea?
Not particularly (not worse than having root ssh-able, but not
significantly better, either).
> If so, how?
Copy the root line in /etc/passwd and change the account name to bob.
Do the appropriate changes to /etc/shadow (if you use that), and to
the PAM configuration; I don't know what the PAM changes are, and
that's where I am unsure if what you want is possible; however, I
think that PAM usually goes by account name (which are different), not
uid (which are the same), so it should be possible.
- anton
--
M. Anton Ertl Some things have to be seen to be believed
anton@mips.complang.tuwien.ac.at Most things have to be believed to be seen
http://www.complang.tuwien.ac.at/anton/home.html
| |
| Anton Ertl 2007-09-21, 1:14 pm |
| anton@mips.complang.tuwien.ac.at (Anton Ertl) writes:
>"Noozer" <dont.spam@me.here> writes:
>
>Copy the root line in /etc/passwd and change the account name to bob.
>Do the appropriate changes to /etc/shadow (if you use that), and to
>the PAM configuration; I don't know what the PAM changes are, and
>that's where I am unsure if what you want is possible; however, I
>think that PAM usually goes by account name (which are different), not
>uid (which are the same), so it should be possible.
Actually, I am not sure that you can do it via PAM (does PAM know
about ssh), but it should be possible via the DenyUsers clause in the
sshd_config file.
- anton
--
M. Anton Ertl Some things have to be seen to be believed
anton@mips.complang.tuwien.ac.at Most things have to be believed to be seen
http://www.complang.tuwien.ac.at/anton/home.html
| |
| Kees Theunissen 2007-09-21, 1:14 pm |
| Anton Ertl wrote:
> "Noozer" <dont.spam@me.here> writes:
No.
[vbcol=seagreen]
> Not particularly (not worse than having root ssh-able, but not
> significantly better, either).
It's worse. It will add confusion without adding any security.
>
> Copy the root line in /etc/passwd and change the account name to bob.
That will give you two users -root and bob- with user ID 0.
This means that any root owned process or any root owned file
could show up in listings as owned by bob. It might not even
be predictable which name will be listed.
Any script that parses such a listing (and that listing might be the
output of 'ls' or 'ps' for instance) and looks for the word 'root'
might fail by doing so.
Regards,
Kees.
--
Kees Theunissen.
| |
| Anton Ertl 2007-09-21, 1:14 pm |
| Kees Theunissen <theuniss@rijnh.nl> writes:
>That will give you two users -root and bob- with user ID 0.
>This means that any root owned process or any root owned file
>could show up in listings as owned by bob. It might not even
>be predictable which name will be listed.
In my experience, the name that's first in /etc/passwd is listed.
>Any script that parses such a listing (and that listing might be the
>output of 'ls' or 'ps' for instance) and looks for the word 'root'
>might fail by doing so.
We have several uid-0 accounts on some of our machines, and have not
noticed any such problems.
- anton
--
M. Anton Ertl Some things have to be seen to be believed
anton@mips.complang.tuwien.ac.at Most things have to be believed to be seen
http://www.complang.tuwien.ac.at/anton/home.html
| |
| Kees Theunissen 2007-09-21, 7:12 pm |
| Anton Ertl wrote:
> Kees Theunissen <theuniss@rijnh.nl> writes:
>
> In my experience, the name that's first in /etc/passwd is listed.
It sounds reasonable to assume that entries in /etc/passwd will
be accessed sequentially. But I would not trust on that in general.
Do you have experience with more complicated setups like network
based account management using NIS or LDAP with "nscd" to cache
lookups? I'm afraid that in such environments lookup results could
even change with cache expiration.
In general it's a bad idea to rely on unspecified behavior of the
software you use. And I'm wondering why you want to do this.
Does it give any benefits that can not -or not easy- be accomplished
by other means?
If you want to give several users root access without the need to
share the root password for instance, then you can reach the same
goal by allowing those users to "sudo bash".
Regards,
Kees.
--
Kees Theunissen.
| |
| Anton Ertl 2007-09-21, 7:12 pm |
| Kees Theunissen <theuniss@rijnh.nl> writes:
>Do you have experience with more complicated setups like network
>based account management using NIS or LDAP with "nscd" to cache
>lookups?
No, our sysadmin prefers to use our own account distribution scripts.
> And I'm wondering why you want to do this.
>Does it give any benefits that can not -or not easy- be accomplished
>by other means?
>If you want to give several users root access without the need to
>share the root password for instance, then you can reach the same
>goal by allowing those users to "sudo bash".
We use it for remotely running a specific program (per account) that
needs root permissions, and nothing else should be runnable with this
authorization. There may be other ways to do this, but this one works
well enough for us.
- anton
--
M. Anton Ertl Some things have to be seen to be believed
anton@mips.complang.tuwien.ac.at Most things have to be believed to be seen
http://www.complang.tuwien.ac.at/anton/home.html
| |
| jellybean stonerfish 2007-09-24, 1:14 pm |
| On Fri, 21 Sep 2007 15:28:29 +0000, Noozer wrote:
> Debian etch machine here...
>
> For security, I do not want the root user to be able to log into the
> machine, execpt through the local keyboard.
>
> I do a lot of administration to this machine via SSH, so I would like to
> have a different user with the same privileges as root, but through SSH.
>
> In other words:
> root = local login only. No remote access through any services.
> bob = local or SSH login. Has the same privileges as root.
>
> Is this possible? Easy? A good idea? If so, how?
Make bob the only one who can sudo. Then ssh as bob and do a sudo -i to
become root.
stonerfish
| |
| AJackson 2007-10-03, 1:12 am |
| On Sep 21, 9:27 pm, an...@mips.complang.tuwien.ac.at (Anton Ertl)
wrote:
> Kees Theunissen <theun...@rijnh.nl> writes:
>
> No, our sysadmin prefers to use our own account distribution scripts.
>
>
> We use it for remotely running a specific program (per account) that
> needs root permissions, and nothing else should be runnable with this
> authorization. There may be other ways to do this, but this one works
> well enough for us.
Please check out "sudo". You can tell sudo which commands which user
are allowed to run, as which other user (like root). It's better than
this uggly hack (or workaround)
|
|
|
|
|