SUMMARY: Using SSH as drop-in replacement for r* services

From: Ryan A. Krenzischek <krenzischek_at_Encompasserve.org>
Date: Mon Sep 08 2003 - 10:47:28 EDT
All,

I got lots of good feedback.  Thanks to all who have responded.  I have
included the responses that best matched what I was trying to do.

Pros: Encrypted, PKI
      Control of which command can get executed
      9.5/10 SA's recommend it!  ;-)

Cons: Root logins via ssh are difficult to track/audit

Alternates: Use RBAC (Only in Solaris 9)

The overall recommendations were to go with allowing root login as a
drop-in replacement.

sudo was also recommended as an option.  Since these are automated scripts
for disaster recovery and *need* to run as root, sudo would reduce the
overall security.  Yes, they do run everyday; no, we do not have disasters
everyday. Before you can enter any commands with sudo, you must enter a
password.  Unfortunately, this means having a file on the system with a
password in clear text.  You might as well stick your root password in
this file named "README.getroothere".

I also learned that you can use PKI locally.  Meaning that if user johna
needs to do something as user johnb, you can: "ssh johnb@localhost
command" as johna using PKI.

You also want to protect your keys!!!!  But of course you knew that
already.  Certain people recommend making your home directory perms 700
but that may break things especially if you have a "www" or "public_html"
directory if you are hosting webpages.  But if you still insist, go ahead
and make root's home directory perms 700 for tons of wholesome fun.  Hands
down that 700 is secure but if that doesn't work for you, make your .ssh
directory perms 700 instead.

You do not need to be root to do ufsdumps of your filesystems.  If you
give group perms to a particular user, a dump can be performed from a user
other than root.

Thanks again for all the responses!


Ryan

-----Original Message-----
From: Ryan A. Krenzischek
Sent: Thursday, September 04, 2003 11:33 AM
To: sunmanagers@sunmanagers.org
Subject: Using SSH as drop-in replacement for r* services


All,

I'm looking for some feedback for individuals who have been tasked by
their company to move away from using r* services (rsh, rlogin, and
rexec).  It seems that SSH is the best fit for a drop-in replacement as
we already use it on a daily basis on our Solaris boxen.

However, some of our disastery-recover scripts that get run on a
daily-basis and they require root.  We currently have root logins via ssh
disabled.  Are there any reasons why we should not allow root logins via
ssh using PKI?  Are there any issues that arise when migrating from r*
services to SSH on Solaris?

Thanks.

Ryan
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Mon Sep 8 10:51:30 2003

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:19 EST