Re: [gentoo-user] Any way to automate login to host and su to root?

Fri, 15 Jul 2022 09:01:54 -0700 

On 7/15/22 1:07 AM, J. Roeleveld wrote:

What I am looking for is:
1) Lookup credentials from password vault (I can do this in script-form, already doing this in limited form for ansible-scripts, but this doesn't give me an interactive shell) 


ACK  You indicated you already had a solution for this.  So I'm leaving 
it in your capable hands.



2) Use admin-account credentials to login via SSH into host



When you say "admin-account", do you mean the given System 
Administrator's personal account or a common / shared administrative 
account?  E.g. would I log in as myself; "gtaylor", or something shared 
"helpdeskadmin"?


I'm assuming the former unless corrected.


Do you want the user to be prompted for the Unix account password (on 
the remote system) or can they use SSH keys to login without a password 
prompt?



3) On remote host, initiate "su -" to switch to root and provide 
root-password over SSH link at the right time



I would suggest having the SSH command invoke the "su -" command 
automatically.



Note:  You will probably want to run a command something like this to 
make sure that a TTY is allocated for proper interaction with su.


        ssh -t <remote_user>@<remote_host> "/path/to/su -"


4) Give me an interactive root-shell on remote-host



Okay.  Not what I would have expected, but it's your system and you do 
you.  :-)



When I close the shell, I expect to be fully logged out (eg, I go 
straight back to the local host, not to the admin-account)



The nice thing about having SSH invoke the "su -" command directly is 
that once you exit su, you also end up exiting the SSH session.



I see plenty of google-results and also as answers for ssh directly to 
"root" using ssh-keys.  I do not consider this a safe method, I use 
it for un- priviliges accounts (not member of "wheel"). I don't use 
it for admin- accounts.



Thank you for the elaboration.  I tend to agree with your stance.  I 
have exceedingly few things that can SSH into systems as the root user, 
and they all have forced commands.  They all have to do with the backup 
system which can't use sudo /or/ I want the ability to get in and 
restore a sudoers file if it gets messed up, thus avoiding the chicken / 
egg problem.



Following the same security mentality, I prefer to specify the full path 
to executables, when possible, in order to make sure that someone 
doesn't put a Trojanized version earlier in the path.  }:-)




--
Grant. . . .
unix || die
























					Reply via email to