# SSH and root and key



## none (Oct 11, 2013)

Hail,

I am trying to make my FreeBSD 9.2-RELEASE to allow SSH from root, but only if using a public key. I saw this http://forums.freebsd.org/showthread.php?t=30011, but this case is about just a key and no more.

When I put

```
PermitRootLogin yes
PermitRootLogin without-password
```
and this way I can log in as root both using a key and a password.

Is there a way to overcome this?

Thanks,

none


----------



## johnblue (Oct 12, 2013)

Someone is bound to come along and grouse about the wisdom of it all, but I believe everyone has the right to choose for themselves.



Given that it is extremely trivial to `su` up, I am only curious as to why you want to enable the password option.


----------



## CoTones (Oct 12, 2013)

Sure - you put two options and get two possibilities. Leave only one enabled.

Good luck,

someone


----------



## ShelLuser (Oct 12, 2013)

Allowing root to directly log into your system, even though it is shielded by a public key, is a very bad idea. Especially since it's quite trivial to become root using one single extra command.

Alas; my suggestion is to look at /etc/ssh/sshd_config near the end. You can set certain options on a per user, group, host or address basis.

I'd limit the option to log on as root (PermitRootLogin) to only a few specific addresses in order to limit the risk. Then you could consider setting up a match block for root which denies passwords (PasswordAuthentication) and allows a public key (PubkeyAuthentication).


----------



## storvi_net (Oct 12, 2013)

I think this discussion will never end. There are serveral arguments for both sides 

If I have to work as root, I log in directly into the machine.
If I have to work as application admin, I log in direcly as such a user.
No need for switching contexts by using SUID-bit-binaries. But this is just one side. 

Regards
Markus


----------



## none (Oct 12, 2013)

Hi all,

Thanks for the answers.

I need to access this box from another, using rsync for backup. So, I need root access on it, and doing `su` will require the password to be typed. I will look again at the sshd_config file.

Thanks,

none


----------



## mix_room (Oct 12, 2013)

While not necessarily recommended, I have done something similiar. 

Try to 'match' block. I can't quite remember what I did, but something along the following lines

```
Match $HOSTNAME 
 permit root
 require $KEYFILE
```


----------



## Whattteva (Oct 12, 2013)

none said:
			
		

> Hi all,
> 
> thanks for the answers.
> 
> ...


You can use sudo and allownopasswd for users in the wheel group in the config file.


----------



## none (Oct 13, 2013)

mix_room said:
			
		

> While not necessarily recommended, I have done something similiar.
> 
> Try to 'match' block. I can't quite remember what I did, but something along the following lines
> 
> ...



Mix, this looks like a great way to solve it. Thanks for the hint and I will research this.



			
				Erratus said:
			
		

> So what is exactly the problem for you? Are you too lazy for typing the password or is it a security problem that you have to type it? Note that you type it actually on your local terminal, not on the remote one.
> 
> In ssh() you find
> 
> ...



Lazy? Thanks for your input, but if [who? -- mod.] want to say those kind of things I think you better not. Not polite at all.



			
				Whattteva said:
			
		

> You can use `sudo` and allow`nopasswd` for users in the wheel group in the config file.



I imagine I may have to do it.

I must have no password asked as this will run after midnight every day as backup, I wont be there to type anything. It's a script.

Thanks for all,

none


----------



## none (Oct 13, 2013)

Hail,

A quick reply with the answer to the issue.

My mistake was using both:

```
PermitRootLogin yes
PermitRootLogin without-password
```
lines. Just the second line will solve it. Thanks for all.

none


----------



## phoenix (Oct 18, 2013)

none said:
			
		

> I need to access this box from another, using rsync for backup. So, I need root access on it, and doing su will require the password to be typed. I will look again on the sshd_config file.



No, actually, you don't.    We use rsync for backups.  We do not allow root logins over the network.  Everything works fine.

How?  By creating a separate user account for the backups, creating a separate key for that user, and only allowing SSH logins via key for that user (lock the password for that user on the remote system).  And, then using sudo to allow that one user to run rsync without a password.  Finally, we add --rsync-path="sudo rsync" to the rsync command.

Voila!  We have a single user who can run a single command as root without requiring root's (or any) password, able to connect via SSH using a private key that has no passphrase attached.

And everything is nicely scriptable.

Let me know if you need more info on how we do it (although a search for rsbackup on the forum gives all the details).


----------



## patpro (Oct 19, 2013)

@phoenix's solution is probably the best. But you could try something absolutely different: using ACLs to give your unprivileged backup user full read access to your data. Not so easy if you don't know how to use ACLs, unfortunately.


----------



## storvi_net (Oct 19, 2013)

phoenix said:
			
		

> No, actually, you don't.    We use rsync for backups.  We do not allow root logins over the network.  Everything works fine.
> 
> How?  By creating a separate user account for the backups, creating a separate key for that user, and only allowing SSH logins via key for that user (lock the password for that user on the remote system).  And, then using sudo to allow that one user to run rsync without a password.  Finally, we add *--rsync-path="sudo rsync"* to the rsync command.
> 
> ...



You could go a little bit further and just allow the backup-command for this key by applying a command="backup-command" in the authorized_keys-file of the user.

Regards
Markus


----------



## phoenix (Oct 22, 2013)

Hrm, that's interesting.  I haven't played with a lot of the advanced features in OpenSSH.  May have to give this one a try as well.


----------



## Oko (Oct 23, 2013)

storvi_net said:
			
		

> You could go a little bit further and just allow the backup-command for this key by applying a command="backup-command" in the authorized_keys-file of the user.
> 
> Regards
> Markus



And you could do even further and execute rsync without tty and only from the specific IP address and bunch of other options :e

`from="trusted.ip.address",no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding`


----------



## throAU (Oct 23, 2013)

Disable password auth for all users, give root a public/private keypair, job done.


----------

