[lug] Looking for best way to avoid scripting password

Chip Atkinson chip at pupman.com
Sun Apr 5 07:17:25 MDT 2009 

Hi Dave.

My *reasoning* (emphasized to distinguish from an actual reason) is that
it's bad to have an sshd that allows root logins.  However, that sshd
listens on another port that is inaccessible due to iptables rules on the
server itself as well as the firewall in the middle.  

The risk of having an inaccessile sshd that allows root logins seems like
it may be lower than having the password in plain text on another machine.

I installed scponly on the server but was unable to get it working.  The
available documentation was rather sparse and other than a config option I
did not see much about using rsync with it.  

chip

On Sat, 4 Apr 2009, David L. Anselmi wrote:

> Chip Atkinson wrote:
> > On the remote host, I start an sshd with a different sshd_config that
> > allows root logins.  This sshd listens on a different port that is not
> > open on the firewall.
> > 
> > The only problem is that I need to sudo /usr/sbin/sshd.
> 
> Could you have root run that at boot (via an /etc/init.d script) and 
> just leave it up?
> 
> Is it really useful to do something that convoluted in the first place?
> 
> If you don't use a password you need a key to ssh in and then root's 
> key, right?  Vs. if you let root log in in the first place you only need 
> root's key.  Both (private) keys are on the same system so a compromise 
> there is bad whether there are one key or two.
> 
> It seems like this is just a bit of indirection, so security through 
> obscurity.  Or maybe I'm not comprehending yet.
> 
> I'll have to think about it some more.  What risk is the second sshd 
> intended to mitigate?  Does it?  Is that risk real?  Is there something 
> (port knocking pops into my head) that mitigates an actual, rather than 
> perceived, risk?
> 
> Sorry, I'm in a bad place to think at the moment.
> 
> Dave
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>

More information about the LUG mailing list