[Discuss] PSA: no root login for SSH

[Kent Borg]

On 12/24/20 9:18 AM, Daniel Barrett wrote:
> On December 24, 2020, Michael Tiernan wrote:
>> I've got one [user] that every 30secs launches a script that logs in,
>> checks a dir for files then closes. Using his unprotected key.
> Do you mean an SSH key with an empty passphrase? Actually, this can be
> done fairly securely and is particularly good for scripting. Create a
> distinct key pair, with empty passphrase, and on the server side, set
> up authorized_keys to use a forced command (man sshd), e.g.,
> 'command="/bin/ls myfile"'. Even if the private key is stolen, all the
> attacker can do is run "/bin/ls myfile" on the remote system, not a
> login shell.
>
> I'm not saying that Michael's user is doing it this way. :-) But it's
> a reasonable technique.

If what Daniel presumes is correct, I say it *is* the right approach. 
Specific credentials for minimal operations. Want to get fancier? Do a 
less static distribution of keys, and somehow issue them from fewer 
places, not have them at rest in so many places. But fancier is more 
complex and complex is a place to store security holes.

If the every 30-seconds script is trusted with the data, trusting that 
same system with the ability to acquire the same data is reasonable. I 
would suggest some careful bureaucracy to keep track of what keys have 
been created, and where the two halves have been deployed. But now I am 
getting into wishful thinking, next I'll say organizations should keep 
track of all the computers they have deployed, where they are, what they 
do, what other stuff they communicate with and and how. Silly me.

Much easier to just put up a (magic!) firewall, and trust everything on 
the inside. "Oh, and there is a new update for Solarwind! Now we'll be 
even safer!"

-kb, the Kent who has always disliked firewalls, but also the Kent who 
has always though medieval walled towns were a quaint but silly 
alternative to having decent locks on individual doors, so what does he 
know?