Arch Linux

dtjohnst

Member

Registered: 2007-03-01

Posts: 85

[SOLVED] Root access for remote commands via ssh

Hey folks,

I'm hoping you can help me with a security-related question. I've got 2 linux boxes, one of which sometimes needs to send commands over SSH from a script. The bad news is that one of the things I need to do is start/stop services, so I need to be able to send systemctl commands over ssh. Is there a best practice for this while minimizing security risks? Unfortunately, the computer receiving the commands is also the one that needs to have outside access to ssh. For now root login via ssh is disabled. My main user account logs in via public key. I could enable root access login via public key as well, I know that's generally considered "best" if root access is absolutely needed but it's really only needed for this one thing. However, I'm wondering if there's an alternative. For example, allowing sudo from my user account without a password for only the command I need to run might work... but is that better when it's systemctl I'm allowing access to? I do have a spare raspberry pi that I could use as an intermediary between the outside world and my machines instead of just port forwarding from my router, but I'm not sure that's necessarily better. It certainly would add an extra step for me, and if someone did get in there, I'd still have a machine with root access out there. Would it be better to just remotely execute a script that only starts and stops the services in question (which if someone manages to do isn't the end of the world, they're just some seedbox/NAS services) with the SUID/GUID bit set as root or is that an even worse idea? Is there another alternative?

Any advice or feedback is welcome.

/DJ

Last edited by dtjohnst (2016-09-22 23:11:52)

basica

Member

From: Australia

Registered: 2012-10-31

Posts: 217

Re: [SOLVED] Root access for remote commands via ssh

I'm not an expert, so perhaps there will be better ideas than this, but I came across this in a search.Essentially it's doing what you were thinking (sudo-ing without a password) but for a subset of commands. If you went this route, it may even be ideal to have a user created just for this purpose with their access limited.

ayekat

Member

Registered: 2011-01-17

Posts: 1,589

Re: [SOLVED] Root access for remote commands via ssh

The bad news is that one of the things I need to do is start/stop services, so I need to be able to send systemctl commands over ssh.

What kind of services are we talking about? Are you sure you cannot run them as user services? This would make the root-permission thing a non-issue.

Would it be better to just remotely execute a script that only starts and stops the services in question (which if someone manages to do isn't the end of the world, they're just some seedbox/NAS services) with the SUID/GUID bit set as root or is that an even worse idea?

Unfortunately you cannot set a SUID/GUID bit on scripts. You'd need to create a binary executable.

---

pkgs │ hacks │ cfg │ blag

qinohe

Member

From: Netherlands

Registered: 2012-06-20

Posts: 1,494

Re: [SOLVED] Root access for remote commands via ssh

However, I'm wondering if there's an alternative. For example, allowing sudo from my user account without a password for only the command I need to run might work... but is that better when it's systemctl

Hi, what I would do in this case is , to allow SSH to only run this command by a user in a certain group.

Prepend this to your authorized_keys

command="sh path/to/your-script.sh"

I use it to only send check_mk (nagios) monitoring info over SSH with a password less key, to the server, and nothing else is allowed.
Hope this helps you.

dtjohnst

Member

Registered: 2007-03-01

Posts: 85

Re: [SOLVED] Root access for remote commands via ssh

I'm not an expert, so perhaps there will be better ideas than this, but I came across this in a search.Essentially it's doing what you were thinking (sudo-ing without a password) but for a subset of commands. If you went this route, it may even be ideal to have a user created just for this purpose with their access limited.

This may be the best idea. I just realized I also need access to mount/unmount drives so adding just 4 or 5 specific command to sudoers seems the most limiting, especially if it's a user that isn't in wheel and therefore can't do anything else. None of the services I need to work with pose problems even if, worst case, someone manages to break in and start/stop them.

The bad news is that one of the things I need to do is start/stop services, so I need to be able to send systemctl commands over ssh.

What kind of services are we talking about? Are you sure you cannot run them as user services? This would make the root-permission thing a non-issue.

Would it be better to just remotely execute a script that only starts and stops the services in question (which if someone manages to do isn't the end of the world, they're just some seedbox/NAS services) with the SUID/GUID bit set as root or is that an even worse idea?

Unfortunately you cannot set a SUID/GUID bit on scripts. You'd need to create a binary executable.

I didn't know they didn't work on scripts. Good to know. Unfortunately while one can be run as a user script, the other count and I also just realized I also need access to mount.

However, I'm wondering if there's an alternative. For example, allowing sudo from my user account without a password for only the command I need to run might work... but is that better when it's systemctl

Hi, what I would do in this case is , to allow SSH to only run this command by a user in a certain group.

Prepend this to your authorized_keys

command="sh path/to/your-script.sh"

I use it to only send check_mk (nagios) monitoring info over SSH with a password less key, to the server, and nothing else is allowed.
Hope this helps you.

Something like this seems like it will be my best option.

Thanks everyone.