On Thursday, 14 July 2022 17:32:07 CEST Grant Taylor wrote: > On 7/14/22 3:54 AM, J. Roeleveld wrote: > > For security reasons, I do not want direct login to root under any > > circumstances. This is disabled on all systems and will stay this way. > > +10 for security > > > Currently, to login as root, you need to know: > > - admin user account name > > - admin user account password > > - root user account password > > Please describe what an ideal scenario would be from a flow perspective, > independent of the underlying technology.
What I am looking for is: 1) Lookup credentials from password vault (I can do this in script-form, already doing this in limited form for ansible-scripts, but this doesn't give me an interactive shell) 2) Use admin-account credentials to login via SSH into host 3) On remote host, initiate "su -" to switch to root and provide root-password over SSH link at the right time 4) Give me an interactive root-shell on remote-host When I close the shell, I expect to be fully logged out (eg, I go straight back to the local host, not to the admin-account) > > I do not want to reduce this to a single ssh-key-passphrase. > > Please elaborate as I suspect that the reasoning behind that statement > is quite germane to this larger discussion. I see plenty of google-results and also as answers for ssh directly to "root" using ssh-keys. I do not consider this a safe method, I use it for un- priviliges accounts (not member of "wheel"). I don't use it for admin- accounts.
