[lug] Looking for best way to avoid scripting password
David L. Anselmi
anselmi at anselmi.us
Sat Apr 4 10:55:49 MDT 2009
Chip Atkinson wrote:
> On the remote host, I start an sshd with a different sshd_config that
> allows root logins. This sshd listens on a different port that is not
> open on the firewall.
>
> The only problem is that I need to sudo /usr/sbin/sshd.
Could you have root run that at boot (via an /etc/init.d script) and
just leave it up?
Is it really useful to do something that convoluted in the first place?
If you don't use a password you need a key to ssh in and then root's
key, right? Vs. if you let root log in in the first place you only need
root's key. Both (private) keys are on the same system so a compromise
there is bad whether there are one key or two.
It seems like this is just a bit of indirection, so security through
obscurity. Or maybe I'm not comprehending yet.
I'll have to think about it some more. What risk is the second sshd
intended to mitigate? Does it? Is that risk real? Is there something
(port knocking pops into my head) that mitigates an actual, rather than
perceived, risk?
Sorry, I'm in a bad place to think at the moment.
Dave
More information about the LUG
mailing list