Re: [gentoo-user] Any way to automate login to host and su to root?

On 7/18/22 3:28 AM, J. Roeleveld wrote: Either on the client where the agent is running, but also on the system I connected to. I have always considered that there is enough sensitive data on the client and that there are already enough things running there that I end up considering the

Re: [gentoo-user] Any way to automate login to host and su to root?

On 7/18/22 12:23 AM, J. Roeleveld wrote: I've been using ansible for some of my automation scripts and am happy with the way that works. The existing implementations for "adding users" and such is tested plenty by others and does actually check if the user exists before trying to add one.

Re: [gentoo-user] Any way to automate login to host and su to root?

On Monday, 18 July 2022 08:03:44 CEST Grant Taylor wrote: > On 7/17/22 11:48 PM, J. Roeleveld wrote: > > It could, but that would open up an unsecured key to interception if > > an intermediate host is compromised. > > What are you thinking? -- I've got a few ideas, but rather than >

Re: [gentoo-user] Any way to automate login to host and su to root?

On Friday, 15 July 2022 18:39:25 CEST Grant Taylor wrote: > On 7/14/22 3:22 PM, Steve Wilson wrote: > > Have you looked at dev-tcltk/expect? > > Expect has it's place. > > Just be EXTREMELY careful when using it for anything security related. I agree > Always check for what is expected before

Re: [gentoo-user] Any way to automate login to host and su to root?

On 7/17/22 11:48 PM, J. Roeleveld wrote: It could, but that would open up an unsecured key to interception if an intermediate host is compromised. What are you thinking? -- I've got a few ideas, but rather than speculating, I'll just ask. See previous answer, the agent, as far as I know,

Re: [gentoo-user] Any way to automate login to host and su to root?

On 7/17/22 11:24 PM, J. Roeleveld wrote: If I have 1 desktop and 1 laptop, that means 2 client machines. Add 5 servers/vms. /Clients/ need (non-host) key pairs. Servers shouldn't need non-host key pairs. Servers should only need the clients' public keys on them. That means 10 ssh-keys

Re: [gentoo-user] Any way to automate login to host and su to root?

On Sunday, 17 July 2022 21:15:05 CEST Grant Taylor wrote: > On 7/15/22 11:46 PM, J. Roeleveld wrote: > > Hmm... interesting. I will look into this. > : > :-) > : > > But, it needs the agent to be running, which will make it tricky for > > automation. > > Why can't automation start an agent? It

Re: [gentoo-user] Any way to automate login to host and su to root?

On Sunday, 17 July 2022 21:10:52 CEST Grant Taylor wrote: > On 7/15/22 11:42 PM, J. Roeleveld wrote: > > True, properly done automation is necessary to make our lives easier. > > #truth > > > I tried this approach in the past and some levels of automation still > > use this, but for being able

Re: [gentoo-user] Any way to automate login to host and su to root?

On 7/15/22 11:46 PM, J. Roeleveld wrote: Hmm... interesting. I will look into this. :-) But, it needs the agent to be running, which will make it tricky for automation. Why can't automation start an agent? Why can't there be an agent running that automation has access to? (I have some

Re: [gentoo-user] Any way to automate login to host and su to root?

On 7/15/22 11:42 PM, J. Roeleveld wrote: True, properly done automation is necessary to make our lives easier. #truth I tried this approach in the past and some levels of automation still use this, but for being able to login myself, I found having different keys become cumbersome and I

Re: [gentoo-user] Any way to automate login to host and su to root?

On Friday, 15 July 2022 14:44:10 CEST Neil Bothwick wrote: > On Fri, 15 Jul 2022 09:53:44 +0200, J. Roeleveld wrote: > > > There's no reason you cannot change SSH keys as regularly, and good > > > reasons why you should. It's just that people don't bother to do it. > > > > I agree, but that is a

Re: [gentoo-user] Any way to automate login to host and su to root?

On Friday, 15 July 2022 18:32:52 CEST Grant Taylor wrote: > On 7/15/22 1:53 AM, J. Roeleveld wrote: > > I agree, but that is a tedious process. > > Yes, it can be. That's where some automation comes into play. True, properly done automation is necessary to make our lives easier. > > I have

Re: [gentoo-user] Any way to automate login to host and su to root?

On Friday, 15 July 2022 18:15:04 CEST Grant Taylor wrote: > On 7/15/22 1:15 AM, J. Roeleveld wrote: > > Yes. > > Okay. > > That simply means that SSH keys won't be used to authenticate to the > remote system. > > > How would it not prompt for a password. > > There is a PAM module;

Re: [gentoo-user] Any way to automate login to host and su to root?

On Fri, 15 Jul 2022 22:33:49 -0600, Grant Taylor wrote: > > I've never used it before, mainly because I wasn't aware of its > > existence until I re-read the ssh-keygen man page, but it seems to > > be simple timestamps passed to valid-before/valid-after. > > I'm not sure that's applicable

Re: [gentoo-user] Any way to automate login to host and su to root?

On 7/15/22 4:11 PM, Neil Bothwick wrote: I've never used it before, mainly because I wasn't aware of its existence until I re-read the ssh-keygen man page, but it seems to be simple timestamps passed to valid-before/valid-after. I'm not sure that's applicable to /keys/ verses /certificates/.

Re: [gentoo-user] Any way to automate login to host and su to root?

On Fri, 15 Jul 2022 13:33:45 -0600, Grant Taylor wrote: > > I'll check that out, but it is also possible to set time limits on SSH > > keys, and limit them to specific commands. > > Please elaborate on the time limit capability of SSH /keys/. I wasn't > aware of that. > > Is it hours of the

Re: [gentoo-user] Any way to automate login to host and su to root?

On 7/15/22 1:12 PM, Neil Bothwick wrote: I'll check that out, but it is also possible to set time limits on SSH keys, and limit them to specific commands. Please elaborate on the time limit capability of SSH /keys/. I wasn't aware of that. Is it hours of the day / days of the week they can

Re: [gentoo-user] Any way to automate login to host and su to root?

On Fri, 15 Jul 2022 10:35:41 -0600, Grant Taylor wrote: > > However, I will look at scripting regular replacements for SSH keys, > > for my own peace of mind. > /me loudly says "SSH /certificates/" from the top atop a pile of old > servers in the server room. I'll check that out, but it is

Re: [gentoo-user] Any way to automate login to host and su to root?

On 7/14/22 3:22 PM, Steve Wilson wrote: Have you looked at dev-tcltk/expect? Expect has it's place. Just be EXTREMELY careful when using it for anything security related. Always check for what is expected before sending data. Don't assume that something comes next and blindly send it

Re: [gentoo-user] Any way to automate login to host and su to root?

On 7/15/22 6:44 AM, Neil Bothwick wrote: I don't share keys, each desktop/laptop has its own keys. Not if they use their own keys. It should be simple to script generating a new key, then SSHing to a list of machines and replacing the old key with the new one in authorized_keys. +1

Re: [gentoo-user] Any way to automate login to host and su to root?

On 7/15/22 1:53 AM, J. Roeleveld wrote: I agree, but that is a tedious process. Yes, it can be. That's where some automation comes into play. I have multiple machines I use as desktop depending on where I am. And either I need to securely share the private keys between them or set up

Re: [gentoo-user] Any way to automate login to host and su to root?

On 7/15/22 1:15 AM, J. Roeleveld wrote: Yes. Okay. That simply means that SSH keys won't be used to authenticate to the remote system. How would it not prompt for a password. There is a PAM module; pam_ssh_agent_auth, which can be used to enable users to authenticate to sudo using SSH

Re: [gentoo-user] Any way to automate login to host and su to root?

On 7/15/22 1:07 AM, J. Roeleveld wrote: What I am looking for is: 1) Lookup credentials from password vault (I can do this in script-form, already doing this in limited form for ansible-scripts, but this doesn't give me an interactive shell) ACK You indicated you already had a solution for

Re: [gentoo-user] Any way to automate login to host and su to root?

On Fri, 15 Jul 2022 09:53:44 +0200, J. Roeleveld wrote: > > There's no reason you cannot change SSH keys as regularly, and good > > reasons why you should. It's just that people don't bother to do it. > > I agree, but that is a tedious process. > > I have multiple machines I use as desktop

Re: [gentoo-user] Any way to automate login to host and su to root?

On Friday, 15 July 2022 10:13:12 CEST J. Roeleveld wrote: > On Thursday, 14 July 2022 23:22:46 CEST Steve Wilson wrote: > > On 14/07/2022 07:35, J. Roeleveld wrote: > > > Hi All, > > > > > > I am looking for a way to login to a host and automatically change to > > > root > > > using a password

Re: [gentoo-user] Any way to automate login to host and su to root?

On Thursday, 14 July 2022 23:22:46 CEST Steve Wilson wrote: > On 14/07/2022 07:35, J. Roeleveld wrote: > > Hi All, > > > > I am looking for a way to login to a host and automatically change to root > > using a password provided by an external program. > > > > The root passwords are stored in a

Re: [gentoo-user] Any way to automate login to host and su to root?

On Friday, 15 July 2022 09:29:14 CEST Neil Bothwick wrote: > On Fri, 15 Jul 2022 09:15:02 +0200, J. Roeleveld wrote: > > I prefer not to use SSH keys for this as they tend to exist for years > > in my experience. And one unnoticed leak can open up a lot of systems. > > This is why I use passwords.

Re: [gentoo-user] Any way to automate login to host and su to root?

On Fri, 15 Jul 2022 09:15:02 +0200, J. Roeleveld wrote: > I prefer not to use SSH keys for this as they tend to exist for years > in my experience. And one unnoticed leak can open up a lot of systems. > This is why I use passwords. (passwords are long random strings that > are changed regularly)

Re: [gentoo-user] Any way to automate login to host and su to root?

On Thursday, 14 July 2022 17:30:28 CEST Grant Taylor wrote: > On 7/14/22 12:35 AM, J. Roeleveld wrote: > > Hi All, > > Hi, > > > I am looking for a way to login to a host and automatically change > > to root using a password provided by an external program. > > Please clarify if you want to

Re: [gentoo-user] Any way to automate login to host and su to root?

On Thursday, 14 July 2022 17:32:07 CEST Grant Taylor wrote: > On 7/14/22 3:54 AM, J. Roeleveld wrote: > > For security reasons, I do not want direct login to root under any > > circumstances. This is disabled on all systems and will stay this way. > > +10 for security > > > Currently, to login

Re: [gentoo-user] Any way to automate login to host and su to root?

On 7/14/22 1:08 PM, Neil Bothwick wrote: I was accepting your point, one I hadn't considered. Ah. Okay. :-/ Here I was hoping to learn something new from you. ;-) Still a good discussion none the less. :-) -- Grant. . . . unix || die

Re: [gentoo-user] Any way to automate login to host and su to root?

Have you looked at dev-tcltk/expect? There's possibly an example you could try at although you probably want to prompt for the password or retreive it programatically rather than putting it on the command line :o Steve.

Re: [gentoo-user] Any way to automate login to host and su to root?

On Thu, 14 Jul 2022 11:01:29 -0600, Grant Taylor wrote: > > Well, almost true. > > Please elaborate. I was accepting your point, one I hadn't considered. -- Neil Bothwick .<-Stealth Tagline pgpjnElIyW_vw.pgp Description: OpenPGP digital signature

Re: [gentoo-user] Any way to automate login to host and su to root?

On 7/14/22 9:56 AM, Neil Bothwick wrote: That is true, but it is also true about the current setup as that also gives root access. I get the impression that Joost is looking for a more convenient approach that does not reduce security, which is true here... I'm all for being /more/ secure,

Re: [gentoo-user] Any way to automate login to host and su to root?

On Thu, 14 Jul 2022 09:37:45 -0600, Grant Taylor wrote: > > Is this user only used as a gateway to root access, or can you set > > up such a user? If so you could use key-based authentication for > > that user, with a passphrase, and add command="/bin/su --login" > > to the authorized_keys

Re: [gentoo-user] Any way to automate login to host and su to root?

On 7/14/22 8:48 AM, Neil Bothwick wrote: Is this user only used as a gateway to root access, or can you set up such a user? If so you could use key-based authentication for that user, with a passphrase, and add command="/bin/su --login" to the authorized_keys line. That way you still need

Re: [gentoo-user] Any way to automate login to host and su to root?

On 7/14/22 3:54 AM, J. Roeleveld wrote: For security reasons, I do not want direct login to root under any circumstances. This is disabled on all systems and will stay this way. +10 for security Currently, to login as root, you need to know: - admin user account name - admin user account

Re: [gentoo-user] Any way to automate login to host and su to root?

On 7/14/22 12:35 AM, J. Roeleveld wrote: Hi All, Hi, I am looking for a way to login to a host and automatically change to root using a password provided by an external program. Please clarify if you want to /require/ a password? I can think of some options that would authenticate, thus

Re: [gentoo-user] Any way to automate login to host and su to root?

Em qui., 14 de jul. de 2022 11:48, Neil Bothwick escreveu: > On Thu, 14 Jul 2022 11:54:46 +0200, J. Roeleveld wrote: > > > For security reasons, I do not want direct login to root under any > > circumstances. This is disabled on all systems and will stay this way. > > > > Currently, to login as

Re: [gentoo-user] Any way to automate login to host and su to root?

On Thu, 14 Jul 2022 11:54:46 +0200, J. Roeleveld wrote: > For security reasons, I do not want direct login to root under any > circumstances. This is disabled on all systems and will stay this way. > > Currently, to login as root, you need to know: > - admin user account name > - admin user

Re: [gentoo-user] Any way to automate login to host and su to root?

On Thursday, 14 July 2022 10:04:21 CEST Mickaël Bucas wrote: > Le jeu. 14 juil. 2022 à 08:35, J. Roeleveld a écrit : > > Hi All, > > > > I am looking for a way to login to a host and automatically change to root > > using a password provided by an external program. > > > > The root passwords

Re: [gentoo-user] Any way to automate login to host and su to root?

Le jeu. 14 juil. 2022 à 08:35, J. Roeleveld a écrit : > > Hi All, > > I am looking for a way to login to a host and automatically change to root > using a password provided by an external program. > > The root passwords are stored in a vault and I can get passwords out using a > script after