Disabling ssh as root on Linux boxes and the challenges of writing scripts

beaconfield asked:

It’s a common suggestion from security-minded people to disable ssh as root on Linux boxes. My question is this:

Let’s say you normally write lots of scripts which ssh to a large number of Linux boxes and perform various root-level tasks. If you disable ssh as root, how do you go about your daily maintenance that requires root privileges?

Of course, sudo is an option, but then you have to type your password each time you run a command. what if your scripts perform a variety of tasks? What if you have to run that script against a large number of hosts?

Of course, you could set the NOPASSWD parameter, but isn’t that a security risk?

Just musing here. Want to get the community’s feedback. I’m looking for a relatively secure way to ssh to Linux boxes and perform root-level tasks.

My answer:

There are many things you can do. This is a partial list:

  • If the script really must run periodically, put it in crontab, and stop running it manually.

  • Use a system such as MCollective (related to, but not quite exactly part of puppet) to run commands remotely on large numbers of machines at once.

  • Use ssh keys to permit root logins from specific users. This carries an audit risk, in that the person who logged in may not be logged, so it’s really only appropriate for very small installations.

  • In /etc/sudoers specify only the specific scripts that can be run without a password; anything else would require a password.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.