On 7/15/22 1:07 AM, J. Roeleveld wrote:
What I am looking for is:
1) Lookup credentials from password vault (I can do this in
script-form, already doing this in limited form for ansible-scripts,
but this doesn't give me an interactive shell)
ACK You indicated you already had a solution for this. So I'm leaving
it in your capable hands.
2) Use admin-account credentials to login via SSH into host
When you say "admin-account", do you mean the given System
Administrator's personal account or a common / shared administrative
account? E.g. would I log in as myself; "gtaylor", or something shared
"helpdeskadmin"?
I'm assuming the former unless corrected.
Do you want the user to be prompted for the Unix account password (on
the remote system) or can they use SSH keys to login without a password
prompt?
3) On remote host, initiate "su -" to switch to root and provide
root-password over SSH link at the right time
I would suggest having the SSH command invoke the "su -" command
automatically.
Note: You will probably want to run a command something like this to
make sure that a TTY is allocated for proper interaction with su.
ssh -t <remote_user>@<remote_host> "/path/to/su -"
4) Give me an interactive root-shell on remote-host
Okay. Not what I would have expected, but it's your system and you do
you. :-)
When I close the shell, I expect to be fully logged out (eg, I go
straight back to the local host, not to the admin-account)
The nice thing about having SSH invoke the "su -" command directly is
that once you exit su, you also end up exiting the SSH session.
I see plenty of google-results and also as answers for ssh directly to
"root" using ssh-keys. I do not consider this a safe method, I use
it for un- priviliges accounts (not member of "wheel"). I don't use
it for admin- accounts.
Thank you for the elaboration. I tend to agree with your stance. I
have exceedingly few things that can SSH into systems as the root user,
and they all have forced commands. They all have to do with the backup
system which can't use sudo /or/ I want the ability to get in and
restore a sudoers file if it gets messed up, thus avoiding the chicken /
egg problem.
Following the same security mentality, I prefer to specify the full path
to executables, when possible, in order to make sure that someone
doesn't put a Trojanized version earlier in the path. }:-)
--
Grant. . . .
unix || die