4

It's a common suggestion from security-minded people to disable ssh as root on Linux boxes. My question is this:

Let's say you normally write lots of scripts which ssh to a large number of Linux boxes and perform various root-level tasks. If you disable ssh as root, how do you go about your daily maintenance that requires root privileges?

Of course, sudo is an option, but then you have to type your password each time you run a command. what if your scripts perform a variety of tasks? What if you have to run that script against a large number of hosts?

Of course, you could set the NOPASSWD parameter, but isn't that a security risk?

Just musing here. Want to get the community's feedback. I'm looking for a relatively secure way to ssh to Linux boxes and perform root-level tasks.

Martin Schröder
  • 315
  • 1
  • 5
  • 24
beaconfield
  • 123
  • 1
  • 1
  • 7
  • I think the tag [remote-execution](http://serverfault.com/questions/tagged/remote-execution) fits your question well, but you already have five tags. – Nic Aug 18 '13 at 15:17

4 Answers4

6

There are many things you can do. This is a partial list:

  • If the script really must run periodically, put it in crontab, and stop running it manually.

  • Use a system such as MCollective (related to, but not quite exactly part of puppet) to run commands remotely on large numbers of machines at once.

  • Use ssh keys to permit root logins from specific users. This carries an audit risk, in that the person who logged in may not be logged, so it's really only appropriate for very small installations.

  • In /etc/sudoers specify only the specific scripts that can be run without a password; anything else would require a password.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • Small point: Mcollective is written and maintained by Puppetlabs, but it works independently of Puppet. No need for running a Puppet infrastructure to make use of Mcollective. Of course, the two go very well together. – daff Mar 12 '13 at 23:12
4

If you regularly "write script to run tasks as root over ssh", you should seriously consider setting up Puppet/Chef/CFEngine/Ansible/Salt/Rundeck .

Not Now
  • 3,552
  • 18
  • 19
2

You don't have to type the password each and every time: If you run sudo within relatively short time you don't have to type it. If there are longer tasks needed one can run sudo -s to get a root shell.

A benefit of using sudo for this over direct ssh as root is that a) you don't have to share a root password over multiple people b) can read logs to figure out who sudo'ed. This might not be necessary as long as you are alone, but that might change.

johannes
  • 583
  • 2
  • 10
  • I like this idea. I was able to create a script that passes a sudo -s to /bin/bash and then used a heredoc to list commands to be run as root on the boxes. This has worked pretty damn well. – beaconfield Mar 18 '13 at 18:40
2

If there are a few specific commands that you need to execute, you can set up sudo (via the /etc/sudoers file) to allow a particular list of users (and/or groups) to execute those commands without a password.

Moshe Katz
  • 3,112
  • 5
  • 28
  • 43