[TriLUG] Remote Execution using remctl

John Vaughters via TriLUG trilug at trilug.org
Wed Sep 2 11:54:59 EDT 2015 

Ron,



Here is one article that could help. Most people will recommend that you disable root access on SSH. While that is certianly not a bad idea, it is not the real security gain that most would think. The absolute best way to secure SSH is allow key only access. This is the greatest security gain you will ever get on SSH. Now key management is certianly a task, but not too bad really. Most will almost certianly tell you absolutely never create a root passwordless key. Well, I defintely would discourage it unless absolutely needed and in most cases you can set permissions for another user for just about any task. However, I have run into the case where I needed a passwordless key for root and I cannot remember why, but nothing else I did was working. You can do it securely by ilmiting the key's operation. A single command, a set of commands, no pty, limiting hosts/ip, etc. Read the article for more information. BTW he disables root access. In any case, most ilkely you should be able to give permissions to some other user for your tasks, but do not think that root access HAS to be disabled. The KEY is the KEYS to security. 
As an example, let's say someone disables root access, but allows passwords. Brute force on a user is still available and then brute force on the su command is still available as well. With a key you can have very long pass phrase. Example: "A secure key is a key that has a very long pass phrase like this one" Trying to brute force a pass phrase this long is not very easy. I hesitate to say impossible, but just know that once a cracker sees key only, he is moving on to other easier methods to get in. Once you have key only authentication, you can create as many keys as you want that have very specific functions limited to host/ip, key, commands/sub-systems. If in fact you deteremine you truly need a root passwordless key, you must restrict that key to the most minimum of access which is possible. 
One of the reasons you will get the NEVER use root passwordless keys so often on the internet, is because most people do not want to publicly encourage people that do not understand HOW to properly configure this situation.
I would encourage you to consider not allowing root access and finding a way to accomplish your tasks, but know that if you gte stuck that you have this option.
Have fun,
John  Vaughters 

Unixlore.net - Linux and Unix Commandline tips, hacks and howtos

|   |
|   |  |   |   |   |   |   |
| Unixlore.net - Linux and Unix Commandline tips, hacks an...Linux and Unix Sysadmin and Security |
|  |
| View on www.unixlore.net | Preview by Yahoo |
|  |
|   |

More information about the TriLUG mailing list