This does not seem to work either. Per the man page, with the
forced-commands-only option set, you have to have the command option set.
Also, if you sue that key it executes what is specified in the command
option. Thanks for the effort though. It just appears that ssh does not
have the capability to prevent an actual login, but allow remote command
execution as root.
Thanks,
Dan
Mark Senior
<Mark.Senior@gov.ab.ca> To: Daniel
Engelsen/PCSHS@PCSHS
cc:
secureshell@securityfocus.com
05/10/2005 07:58 AM Subject: RE: remote ssh
for root
Sure - just don't specify any 'command' limits, only 'from' limits.
Like I said, it's optional to apply limits at all - the default is
always to allow everything.
Mark
-----Original Message-----
From: daniel.engelsen@caremark.com
[mailto:daniel.engelsen@caremark.com]
Sent: May 9, 2005 09:46
To: Mark Senior
Cc: secureshell@securityfocus.com
Subject: RE: remote ssh for root
I was playing around with that, but I really don't want to
limit the commands that may be run as root from this trusted
host. Is there a way to say ALL commands like there is in sudo?
Thanks,
Dan
Mark Senior
<Mark.Senior@gov.ab.ca> To:
Daniel Engelsen/PCSHS@PCSHS
cc:
secureshell@securityfocus.com
05/09/2005 08:32 AM Subject:
RE: remote ssh for root
OK, I see what you mean. How about this - don't know if it
exactly meets what you need, but it should get you close:
If you're using the openssh 4 ssh server (and this is likely
present in earlier versions, I haven't checked), set
PermitRootLogin to "forced-commands-only". This allows root
login with public key authentication only, and only when a
specific command has been specified for execution.
Then, make a keypair for root, and put the private key only
on the one trusted admin box (with appropriate. Add to the
start of the relevant line in .ssh/authorized_keys2 file the
limitation:
from="trustedhost.my.domain"
Optionally, you can apply other limits to the use of the key
you've created. For example, limit the command(s) that can
be run with that key, by adding command="/path/to/command"
to the start of the relevant line of root's .ssh/authorized_keys2 file
see the section AUTHORIZED_KEYS FILE FORMAT in the sshd
manpage for the list of possibilities.
Hope that helps
Mark
-----Original Message-----
From: daniel.engelsen
Sent: May 9, 2005 08:51
To: Mark Senior
Subject: RE: remote ssh for root
I want to have one host that is trusted by the many hosts.
From this host, I want to be able to perform a remote ssh
to the many
boxes as root; however, I do not want to allow direct root login on
any of the servers.
If you want to be root, I want the user to have to su to
the root id.
Also, I do not want to limit what comamnds I can run as
root on these
boxes from this trusted host.
Thanks,
Dan
Mark Senior
To: Daniel Engelsen
Subject: RE: remote ssh for root
I'm sorry, could you clarify what you mean exactly? I'm
not sure what
you mean, to ssh as root, without logging in as root via ssh.
I suppose just using su or sudo wouldn't cut it?
Thanks
Mark
-----Original Message-----
From: daniel.engelsen
Sent: May 6, 2005 10:22
To: secureshell@securityfocus.com
Subject: remote ssh for root
I would like to setup a trusted host that utilizes ssh;
however, I do
not want root to be loginable. If I set PermitRootLogin to
no, then
the remote ssh function stops as well. Does anyone know of
a way to
be able to do remote ssh's as root without allowing root to
be able to
login?
I am using AIX versions 5.1, 5.2, and 5.3, and we are running ssh
versions
3.6 and 3.8.
Any ideas would be greatly appreciated.
Thanks,
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity
to whom they are addressed.
If you have received this email in error please notify the
system manager.
This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee you should not disseminate, distribute or
copy this e-mail.
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity
to whom they are addressed.
If you have received this email in error please notify the
system manager.
This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee you should not disseminate, distribute or
copy this e-mail.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail.
