How to log in as root w/o password? - SSH

This is a discussion on How to log in as root w/o password? - SSH ; My basic setup denies root logins altogether. But... From one single PC, as one single user, I would like to be able to log in automagically without a password (actually via a script). Is there a way to set up ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: How to log in as root w/o password?

  1. How to log in as root w/o password?

    My basic setup denies root logins altogether.

    But... From one single PC, as one single user, I would like to be able
    to log in automagically without a password (actually via a script).

    Is there a way to set up authkeys to allow this?

    I've tried a few times, but it seems the "no root login" thing overrides
    public key authentication.

    --Yan

  2. Re: How to log in as root w/o password?

    CptDondo writes:

    > My basic setup denies root logins altogether.
    >
    > But... From one single PC, as one single user, I would like to be able
    > to log in automagically without a password (actually via a script).
    >
    > Is there a way to set up authkeys to allow this?
    >
    > I've tried a few times, but it seems the "no root login" thing
    > overrides public key authentication.


    What user are you trying to login as with public key?

    If root, well yeah, no root login would override it.

    If it's a std user you're trying to auth as, the no root login setting
    does not prohibit that.

    If you need to login w/o password and do root things, I'd suggest a
    combination of public key auth using a non-root account, and sudo on
    the target box (configured to allow that user to do only very specific
    commands as root, and to do so without prompting for a password).


    --
    Todd H.
    http://www.toddh.net/

  3. Re: How to log in as root w/o password?

    CptDondo writes:

    >My basic setup denies root logins altogether.


    Which is stupid. Sometimes root is needed. (and sudo is not a substitute).


    >But... From one single PC, as one single user, I would like to be able
    >to log in automagically without a password (actually via a script).


    Use ssh with publick key authentication.


    >Is there a way to set up authkeys to allow this?


    Auth keys?

    >I've tried a few times, but it seems the "no root login" thing overrides
    >public key authentication.


    It may be. So get rid of the "no root login" or do a two step process--
    public key to a user account, and then that user account uses has
    passwordless login to root ( eg in wheel group with pam.d/su having the
    line
    auth sufficient pam_wheel.so trust use_uid
    )

    >--Yan


  4. Re: How to log in as root w/o password?

    On 08/24/2006 10:44 PM, CptDondo wrote:
    > My basic setup denies root logins altogether.
    >
    > But... From one single PC, as one single user, I would like to be able
    > to log in automagically without a password (actually via a script).
    >
    > Is there a way to set up authkeys to allow this?
    >
    > I've tried a few times, but it seems the "no root login" thing overrides
    > public key authentication.


    Create a key pair with ssh-keygen, and copy the contents of the public key
    file to root's .ssh/authorized_keys file. Set the permissions properly (600
    on the file, and 700 on the .ssh directory).

    Next, in your sshd_config, set

    PermitRootLogin yes
    PubkeyAuthentication yes
    AllowUsers root@192.168.xxx.yyy

    You can now log in as root, if you originate from 192.168.xxx.yyy by giving
    the command

    you@192.168.xxx.yyy% ssh -i file-with-private-root-key root@192.168.xxx.yyy.

    The disadvantage of using the AllowUsers directive is that ONLY the users
    listed that are explicitly listed (or that are matched by wild cards) will
    be allowed access. On a system with a large amount of users who are all
    allowed remote access via ssh, AllowUsers will incur quite some management
    overhead. Using the directive properly (i.e., without wildcards that cover
    large networks) will make you practically immune for brute force password
    attacks, however.

    I recommend not loading root's ssh key into ssh-agent, or if you do, make
    sure it expires in something like a half hour or so. You can do that by
    using the command

    ssh-add -t 1800 file-with-private-root-key

    -Kees

  5. Re: How to log in as root w/o password?

    In comp.security.ssh Unruh :
    > CptDondo writes:


    >>My basic setup denies root logins altogether.


    > Which is stupid. Sometimes root is needed. (and sudo is not a substitute).


    No it isn't. A good idea to deny direct root logins via network
    per default. Quite a few people connect systems to the internet
    with no firewall/etc enabled and perhaps use a trivial root
    password. There are quite a few bots trying to break into such
    system and it's easy as the account to login is already known.

    Someone who wants to use direct root logins, should take the time
    to check how to enable it. 'ssh -vvv ...' is usually helpful.

    >>But... From one single PC, as one single user, I would like to be able
    >>to log in automagically without a password (actually via a script).


    > Use ssh with publick key authentication.



    >>Is there a way to set up authkeys to allow this?


    > Auth keys?


    >>I've tried a few times, but it seems the "no root login" thing overrides
    >>public key authentication.


    > It may be. So get rid of the "no root login" or do a two step process--
    > public key to a user account, and then that user account uses has
    > passwordless login to root ( eg in wheel group with pam.d/su having the
    > line
    > auth sufficient pam_wheel.so trust use_uid
    > )


    Sounds somehow better, though you can use sudo (NOPASSWD) or just
    enable a forced ssh command via keys. There are plenty of
    possibilities, but I'd be very careful with direct root logins.

    There are tons of documents online how to go about it. ssh-agent
    should be used.

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 320: You've been infected by the Telescoping
    Hubble virus.

+ Reply to Thread