[Novalug] ssh as root ( was Re: RHEL question RE service start configuration)
jbholland at gmail.com
Tue Mar 6 09:40:15 EST 2012
On 3/5/12 8:25 PM, bidwell wrote:
> On 03/05/2012 05:39 PM, John Holland wrote:
>> I know you are speaking the standard wisdom but I have a question. If
>> you set up sudo to give you root,
>> then your user-level password is effectively a root password. How is it
>> any safer to send that over the network ?
>> I think you may reply that your sudo would only be able to run a few
>> specific commands. If you can be that disciplined, I guess then it makes
>> some sense. But wouldn't that require carefully selecting those commands
>> while in front of the box? That might be a hard thing for someone not
>> sure what they want to run.
>> The reason I say this is my initial response to Jay was that he could
>> ssh to localhost as root in order to get a root GUI window for the one
>> (GUI) command he needed to run as root. I think this only works though
>> if you are allowing root ssh logins.
>> On 03/04/2012 12:59 PM, Dan Lavu wrote:
>>> They are two major reasons why you should not directly log in as root. Through SSH, you do not want send *the* password across the network if you do not have to. ....................sudo..............
> I would give different reasons for using sudo. Not allowing ssh root
> login is a given,
This is what I'm asking about. ("not allowing ssh root login")
If you can't log in as root, then to do root tasks you have to su or
sudo. If it's su, then you're sending the root password. If it's sudo,
then either A) you can basically be root by using your regular password,
which means your regular password is in effect root; or
B) you can only execute limited commands via sudo.
If it is B, then that kind of makes sense, but what do you do when you
need to run something as root that you didn't plan for in setting up sudo?
I know that blocking root login via ssh is standard, but I've never
understood why. The only real reason I would have to be able to do so
is to run X apps as root via ssh- I have found that to be handy though.
More information about the Novalug