You are not logged in.

#1 2012-03-19 05:59:26

frostyfrog
Member
From: Utah, USA
Registered: 2011-03-27
Posts: 42

[SOLVED] Allowing root ssh?

Do you guys think it would be a good idea if I allowed root ssh on a system that only allows key authentication? I gave the root user a 4096 byte (or at least I think it was byte) long key, just because I want an even smaller chance of someone getting in. Is it possible to run two instances of sshd on boot-up, both using different configs?
Basically, this is what I would like to do https://wiki.archlinux.org/index.php/Pa … cman_cache using sshfs. During my first attempt, I had the issue of all of my ownership rights being changed from root:root to frosty:users. Then I moved to giving root access, and I haven't moved really on (I've only done basic testing) because I want to know your guys' opinion on whether or not this is a good idea, and if it's possible to make it even more secure. I know allowing root login over ssh is a big taboo in the *nix world, but it is the only solution that I could find to fixing this and clearing some needed disc space.

my basic(ish) config (with non-related settings to login mostly stripped out):

port 4000 # i'm hoping to use a different port for root access over only the LAN
protocol 2
addressfamily any
listenaddress 0.0.0.0:4000 # same as above comment
usepam 1
serverkeybits 1024
logingracetime 120
keyregenerationinterval 3600
permitrootlogin yes # would be disabled on the normal port
rsaauthentication yes
pubkeyauthentication yes
kerberosauthentication no
kerberosorlocalpasswd yes
kerberosticketcleanup yes
gssapiauthentication no
gssapicleanupcredentials yes
passwordauthentication no
kbdinteractiveauthentication no
challengeresponseauthentication no
strictmodes yes
tcpkeepalive yes
permitemptypasswords no
useprivilegeseparation yes

*heads off to bed for the night* big_smile

Last edited by frostyfrog (2012-04-22 04:01:20)


{arch32} {subtlewm}{Acer Aspire One AO532h}
{arch64} {Headless Server}
Grrr! 400 char limit sad

Offline

#2 2012-03-19 07:07:52

/dev/zero
Member
From: Melbourne, Australia
Registered: 2011-10-20
Posts: 1,176
Website

Re: [SOLVED] Allowing root ssh?

frostyfrog wrote:

Do you guys think it would be a good idea if I allowed root ssh on a system that only allows key authentication?

No.

There is no need and much at stake.

Last edited by /dev/zero (2012-03-19 07:08:12)


Linux is NOT Windows | The Rootless Root
Toshiba Satellite i5-3230M 2.6GHz CPUs, 4Gb RAM, ArchLinux, wmii, nVidia GeForce GT 740M.

Offline

#3 2012-03-19 07:30:28

KingX
Member
From: Fremont, CA
Registered: 2010-03-24
Posts: 321

Re: [SOLVED] Allowing root ssh?

Yeh I can't think of a reason why you want root login, when you can login as a user and then escalate your privileges as needed.

Offline

#4 2012-03-19 10:13:05

falconindy
Developer
From: New York, USA
Registered: 2009-10-22
Posts: 4,092
Website

Re: [SOLVED] Allowing root ssh?

KingX wrote:

Yeh I can't think of a reason why you want root login

Might want to actually read the OP then, he listed one.

@frostyfrog: lock it down by IP and/or force it into a chroot.

PermitRootLogin No

Match Address 1.2.3.4
    PermitRootLogin yes
    ChrootDirectory /var/cache/pacman/pkg
    ForceCommand internal-sftp

NFS is a better solution, though.

Offline

#5 2012-03-19 10:32:23

Blµb
Member
Registered: 2008-02-10
Posts: 223

Re: [SOLVED] Allowing root ssh?

I think it would be better to just have the packages owned by a seperate user used for this job only.
Since the packages are actually readable by any user, packages put there by the remote machine would be owned by that user, sure, and packages put there by the local machine are owned by root.
Both could still read from it, and it's not like you usually want a package to be overwritten - since the point of it is to share the downloaded packages smile

Thinking about this even further, I personally would give every machine its own user, so I can a) see which package came from which machine, and b) easily lock single machines out even in a DHCP LAN environment.
Plus, it would keep the remote machines to delete the packages from the local machine.

So basically it boils down to how you want to really manage things: Which machine gets what kind of access etc.


You know you're paranoid when you start thinking random letters while typing a password.
A good post about vim
Python has no multithreading.

Offline

#6 2012-03-21 23:22:16

Isola
Member
Registered: 2010-02-02
Posts: 99

Re: [SOLVED] Allowing root ssh?

Could this work?

darkhttp /var/cache/pacman/pkg --chroot --daemon --uid nobody --gid nobody

Then this at the top of every /etc/pacman.d/mirrorlist except the sharing machine:

Server = http://the_machine_sharing_the_cache:8080

Offline

#7 2012-04-22 04:00:41

frostyfrog
Member
From: Utah, USA
Registered: 2011-03-27
Posts: 42

Re: [SOLVED] Allowing root ssh?

I've been meaning to mark as solved and post my solution, Sorry! Anyways, I first followed falconindy's advice, then I put

/mnt/RAID/pacman 192.168.0.4(rw,sync,no_root_squash)

in /etc/exports after I had copied all of my packages over to my server.

Then I put

192.168.0.8:/mnt/RAID/pacman/ /var/cache/pacman/pkg/ nfs defaults 0 0

in /etc/fstab. Works like a charm big_smile (ofc, normally someone might want to combine both sets of packages, but I don't always update my server to the latest version(it has a current uptime of 60 days and I plan on updating it once I decide is an appropriate maintenance time...).

Now to mark as [Solved].


{arch32} {subtlewm}{Acer Aspire One AO532h}
{arch64} {Headless Server}
Grrr! 400 char limit sad

Offline

Board footer

Powered by FluxBB