David C. Rankin wrote:
Kain, Becki (B.) wrote:
Hi folks:
I can't find a good write up of the options of PermitRootLogin - yes,
no, without-passwd, etc... Can someone point me in the right
directoin>
thanks
There is a very valid and good reason you CAN'T! This is a very bad
idea, see the better way below - but, at your own risk:
To setup login without a password:
In your home directory
cd .ssh
ssh-keygen -t dsa (hit return twice for no password)
cp id_dsa.pub id_dsa.pub.newname (prevents overwriting id_dsa.pub on
remote machine)
cp or scp id_dsa.pub.newname to /root/.ssh of the machine you have
allowed root logins on (Not a good or secure idea - nevertheless)
login to that machine
as root, cd /root/.ssh
cat id_dsa.pub.newname >> authorized_keys
logout
ssh [EMAIL PROTECTED] should now work without a
password
(I repeat, allowing root ssh access is NOT a good idea.)
A far better way if you need to conduct business as root over ssh is to:
On the machine the operations need to be done as root
as root
cd /root/.ssh
ssh-keygen -t dsa
cp id_dsa.pub id_dsa.pub.othernewname (I usually append the host
name as othernewname)
scp id_dsa.pub.othernewname [EMAIL PROTECTED]:~/.ssh
On the machine that doesn't need operations as root
cd ~/.ssh
cat id_dsa.pub.othernewname >> authorized_keys
Now you can execute any script as root requiring root privileges on that
machine, and as root ssh [EMAIL PROTECTED] without a password
and pull any data you need to over without ever permitting a root ssh
login. On the non-root machine, you may have to give the specific user
access to files needed by adding them to a few groups in /etc/group like
wwwrun, mail, etc. and you may need to set the group ownership on the
needed files and directories, but this is far better that gift wrapping
a root exploit to all the script kiddies that will try for ever to root
your box over ssh. They only have to succeed once and you are screwed!
And fired.
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
