Peter Abrahamsen wrote:
> On 10/12/06, Kalin KOZHUHAROV <[EMAIL PROTECTED]> wrote:
>> How do you permit key-only for non-root users??
>
> PasswordAuthentication no
> ChallengeResponseAuthentication no
>
> it's in the inline docs in sshd_config.
>
Oookey! Now I saw it.
I was trying a few times to disable that but for some reason or another
I failed, so I concluded that this is an option only for the root
login... and for the last 3 years I didn't even bother looking into it.
I generally use several approaches:
1. `ssh [EMAIL PROTECTED]
Mostly used when I run a command on a few servers, like:
for s in $SERVERS; do ssh $s "gensync pkalin &"; done
2. `ssh [EMAIL PROTECTED], then `su -`
Mostly for specific administrative tasks or researching things like
logs, etc.
3. `ssh [EMAIL PROTECTED], then `sudo command`
Mostly for single commands, specific for a server interspersed with
many user-possible commands; most common commands are set with
NOPASSWD, like:
user ALL = NOPASSWD: /bin/dmesg -c
So it all depends on the case.
#1 is most unsecure as it all relies on keeping your private key secret
#3 is most appropriate as long as accounting is concerned (you can see
who did what in the logs); it also sandboxes you in a way by aloowing
only certain things
You can play with setting expiry time on the sudo (see
timestamp_timeout), using keychain to remember password protected
private keys, etc. to finetune your options.
Just my 2 yen,
Kalin.
--
|[ ~~~~~~~~~~~~~~~~~~~~~~ ]|
+-> http://ThinRope.net/ <-+
|[ ______________________ ]|
--
[email protected] mailing list
