[OpenIndiana-discuss] ssh root login

Ray Butler raymond.butler at gmail.com
Sun Jan 13 02:20:54 UTC 2013


You could also run a second ssh instance (port 26) and set up a trusted
host configuration. For this instance set PermitRootLogin to yes and reset
the public ssh access (port 22) to PermitRootLogin no. It's more legwork,
as you'd need to package another ssh installation, but it would safeguard
your setup as only hosts defined as authorized hosts will be able to ssh as
root. We did this internally at Sun and I'm trying to get my current
employer to look at this as we don't allow sudo and we have to ssh as a
normal user then su to root.

Ray


On Sat, Jan 12, 2013 at 9:02 PM, Bob Friesenhahn <
bfriesen at simple.dallas.tx.us> wrote:

> On Sat, 12 Jan 2013, Gregory S. Youngblood wrote:
>
>  Don't forget by default root is not a regular user account. Or at least
>> it didn't used to be. You may need to issue the command to make root a full
>> account before you can ssh to the root account.
>>
>> Also, depending on what you're doing, you might consider ssh to a regular
>> user and then escalate via sudo or pfexex instead of ssh to the root user
>> directly.
>>
>
> Yes, I agree that this approach would be better.  The main problem is that
> I intentionally have a wide-variety of systems (hope to add more) and each
> one behaves a little differently.  I would need to create a new user
> account account on all the systems and add a way to accomplish the
> equivalent of 'sudo' on all those systems (perhaps via a suid wrapper).
>
> Bob
> --
> Bob Friesenhahn
> bfriesen at simple.dallas.tx.us, http://www.simplesystems.org/**
> users/bfriesen/ <http://www.simplesystems.org/users/bfriesen/>
> GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
>
> ______________________________**_________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss@**openindiana.org<OpenIndiana-discuss at openindiana.org>
> http://openindiana.org/**mailman/listinfo/openindiana-**discuss<http://openindiana.org/mailman/listinfo/openindiana-discuss>
>



-- 
*
*


More information about the OpenIndiana-discuss mailing list