[clug] .bash_aliases and .bashrc
scott.ferguson.clug at gmail.com
Sat Oct 18 19:11:03 MDT 2014
On 19/10/14 11:16, steve jenkin wrote:
> On 19 Oct 2014, at 7:41 am, George at Clug <Clug at goproject.info>
>> … so far I do not often use scripts, when I do they are run as
>> root, so I use su and then run in the terminal as root until I use
>> 'exit' to exit from su.
> Old habits die hard :( I find myself involuntarily entering
> "ctrl-D", not “exit”, when done with programmes.
> On ‘sudo’ and friends: I’ve heard some people use ‘ssh
> root at localhost’, not su or sudo.
Yes, I've heard of it (passkey without passphrase authentication, and
seen the results).
BP OpSec is *not* to *ever* ssh as root -
instead ssh as a user, with passkey authentication, then elevate as root
*only* if running commands with root privileges won't do the job.
I've also seen (using ps) the use of "sshpass -p" in scripts to run
commands as root. :(
> It requires credentials to be setup and of course you’ve turned off
> accepting a password for root in sshd.config :)
At it's simplest yes (don't forget PAM). Login as root *should* not be
enabled. I don't know about other distros, but that is the (recent)
default. Though I 'suspect' those that use NOPASSWD in sudo will remove
the ssh no-shoot-foot restrictions too.
There's a host of ssh shoot-foot possibilities - I profess an incomplete
understanding of them all:-
EnableSSHKeysign, ForwardX11, PasswordAuthentication and quite a few
others (if changed from the secure defaults).
Formerly shoot-foot only required:-
$ ssh-keygen # hit Enter till done i.e. no passphrase
$ ssh-copy-id root at localhost # supply password once only to make
privilege escalation easier for everyone and everything
Tangentially (ssh 'is' a tangent) a good practise is to include the
following (though not necessarily my choice of cipher) in ~/.ssh/config
Lest people forget to encrypt their ssh sessions.
[*1] as I'm uncertain (failed to test) whether user preferences
over-ride the system default.
> Any comments on this practice?
The cost of security is inconvenience??
> -- Steve Jenkin, IT Systems and Design 0412 786 915 (+61 412 786 915)
> PO Box 48, Kippax ACT 2615, AUSTRALIA
> mailto:sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin
More information about the linux