BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] PSA: no root login for SSH
- Subject: [Discuss] PSA: no root login for SSH
- From: kentborg at borg.org (Kent Borg)
- Date: Thu, 24 Dec 2020 11:48:21 -0800
- In-reply-to: <24548.52596.891133.187692@blazemonger.com>
- References: <CAD9BPTo+2nX+Ty_6DCve7jshE5E+6FjBSeNeFr_NkyuJEGkYiQ@mail.gmail.com> <24548.52596.891133.187692@blazemonger.com>
On 12/24/20 9:18 AM, Daniel Barrett wrote: > On December 24, 2020, Michael Tiernan wrote: >> I've got one [user] that every 30secs launches a script that logs in, >> checks a dir for files then closes. Using his unprotected key. > Do you mean an SSH key with an empty passphrase? Actually, this can be > done fairly securely and is particularly good for scripting. Create a > distinct key pair, with empty passphrase, and on the server side, set > up authorized_keys to use a forced command (man sshd), e.g., > 'command="/bin/ls myfile"'. Even if the private key is stolen, all the > attacker can do is run "/bin/ls myfile" on the remote system, not a > login shell. > > I'm not saying that Michael's user is doing it this way. :-) But it's > a reasonable technique. If what Daniel presumes is correct, I say it *is* the right approach. Specific credentials for minimal operations. Want to get fancier? Do a less static distribution of keys, and somehow issue them from fewer places, not have them at rest in so many places. But fancier is more complex and complex is a place to store security holes. If the every 30-seconds script is trusted with the data, trusting that same system with the ability to acquire the same data is reasonable. I would suggest some careful bureaucracy to keep track of what keys have been created, and where the two halves have been deployed. But now I am getting into wishful thinking, next I'll say organizations should keep track of all the computers they have deployed, where they are, what they do, what other stuff they communicate with and and how. Silly me. Much easier to just put up a (magic!) firewall, and trust everything on the inside. "Oh, and there is a new update for Solarwind! Now we'll be even safer!" -kb, the Kent who has always disliked firewalls, but also the Kent who has always though medieval walled towns were a quaint but silly alternative to having decent locks on individual doors, so what does he know?
- References:
- [Discuss] PSA: no root login for SSH
- From: michael.tiernan at gmail.com (Michael Tiernan)
- [Discuss] PSA: no root login for SSH
- From: dbarrett at blazemonger.com (Daniel Barrett)
- [Discuss] PSA: no root login for SSH
- Prev by Date: [Discuss] PSA: no root login for SSH
- Next by Date: [Discuss] Consultant recommendation for web scraping / scripting?
- Previous by thread: [Discuss] PSA: no root login for SSH
- Next by thread: [Discuss] Fail2Ban needs some help?
- Index(es):