[NTLUG:Discuss] ssh keys
Kevin Brannen
kbrannen at pwhome.com
Thu Mar 3 23:23:00 CST 2005
MadHat wrote:
> On Mar 3, 2005, at 7:14 PM, Kevin Brannen wrote:
>
>> ...
>>
>> The way I"ve avoided this in the past is to put the authorized_keys2
>> file in place when the machine was built, i.e. it's part of the
>> initial image I "ghost'd" (actually I used "dd" but same concept).
>> If that is done for root, you can automate all other additions (as
>> root can do anything. :-) From there you can do stuff like:
>
>
> ssh as root? That is bad. Have an automation account with limited
> sudo access, specifically to run one or two commands. Then you have
> that account already installed on the ghost image, or added as part of
> the install process. The sudo access would be to add packages, for
> instance, then you could have the user accounts as packages, like as
> an RPM. only allow the automation account to rum rpm passwordless via
> sudo. then you when you run 'ssh host "sudo rpm -i
> http://central.server/user.rpm"' the user's credentials and ssh keys
> are installed.
>
> I just don't like the idea of having ssh as root enabled anywhere. I
> don't even know the root password on a machine or 2 I admin. no
> reason to.
>
...
Depends on your situation. There are places (like if the machine is
visible to the 'Net) that I wouldn't think of that much less allow that
either. But in the case sited, it was on a set of developers machines
that sat on a non-public routable subnet (10.x.x.x), and behind at least
1 Firewall (I think there were actually 2 between us and the outside
world). I felt quite safe ssh'ing as root in that situation. Also,
there were times I was extremely busy, so any little helps like this to
admin that set of machines I viewed as good.
YThoughtsMV... :-)
Kevin
More information about the Discuss
mailing list