[clug] .bash_aliases and .bashrc

Scott Ferguson scott.ferguson.clug at gmail.com
Sat Oct 18 19:11:03 MDT 2014


On 19/10/14 11:16, steve jenkin wrote:
> 
> On 19 Oct 2014, at 7:41 am, George at Clug <Clug at goproject.info> 
> wrote:
> 
>> … so far I do not often use scripts, when I do they are run as 
>> root, so I use su and then run in the terminal as root until I use 
>> 'exit' to exit from su.
> 
> 
> Old habits die hard :( I find myself involuntarily entering
> "ctrl-D", not “exit”, when done with programmes.
> 
> On ‘sudo’ and friends: I’ve heard some people use ‘ssh 
> root at localhost’, not su or sudo.

Yes, I've heard of it (passkey without passphrase authentication, and
seen the results).
BP OpSec is *not* to *ever* ssh as root -
instead ssh as a user, with passkey authentication, then elevate as root
*only* if running commands with root privileges won't do the job.

I've also seen (using ps) the use of "sshpass -p" in scripts to run
commands as root. :(

> 
> It requires credentials to be setup and of course you’ve turned off 
> accepting a password for root in sshd.config :)
At it's simplest yes (don't forget PAM). Login as root *should* not be
enabled. I don't know about other distros, but that is the (recent)
default. Though I 'suspect' those that use NOPASSWD in sudo will remove
the ssh no-shoot-foot restrictions too.

There's a host of ssh shoot-foot possibilities - I profess an incomplete
understanding of them all:-
ChallengeResponseAuthentication, BatchMode,
EnableSSHKeysign, ForwardX11, PasswordAuthentication and quite a few
others (if changed from the secure defaults).

Formerly shoot-foot only required:-
$ ssh-keygen # hit Enter till done i.e. no passphrase
$ ssh-copy-id root at localhost # supply password once only to make
privilege escalation easier for everyone and everything

Tangentially (ssh 'is' a tangent) a good practise is to include the
following (though not necessarily my choice of cipher) in ~/.ssh/config
*and* /etc/ssh/ssh_config[*1]:-

        HostName *
        Cipher blowfish-cbc

Lest people forget to encrypt their ssh sessions.

[*1] as I'm uncertain (failed to test) whether user preferences
over-ride the system default.


> 
> Any comments on this practice?

The cost of security is inconvenience??

> 
> 
> 
> -- Steve Jenkin, IT Systems and Design 0412 786 915 (+61 412 786 915)
> PO Box 48, Kippax ACT 2615, AUSTRALIA
> 
> mailto:sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin
> 


Kind regards


More information about the linux mailing list