Hi Sunil,
Sunil wrote:
>does any mechanism allow ssh rsa/dsa key based password less secure local
>login (like su)?
>This message posted from opensolaris.org
>
>
No matter how many time I parse that sentence, I am having trouble
understanding what you mean. I realise that English may not be your
mother-tongue, so please forgive me for answering your question with
another set of questions.
Are you asking whether or not you can use ssh keys to provide
password-less logins? If so, then the answer is yes; However, I suspect
that you are asking a different question as you already mentioned the
keys themselves.
Are you asking whether or not you can use your ssh-keys to access the
root account? Yes, this is possible, I will describe what I have setup
and you can see if it fits your purposes.
At my site, our production network is separated from our PC network. In
order to get from the PC network, to the production network, the
administrators SSH to one of two machines (for redundancy). These
machines are multi-homed so that we can go from the PC network to the
production network.
Logging into the multi-homed machines from the PC network requires a
password or pass-phrase. Once logged into their account, the
administrators use the ssh-add to add their pass-phrase-protected keys
to the agent. Once the keys are added to the agent, the hosts in the
production network use authorized_keys files to allow the administrators
to ssh into the boxes without a password. For trusted users, the
authorized_keys file is setup for both their own user and the root user.
Much like sudo, using this method means there is no need for a shared
root-password, unless in the case of an emergency when it is easily
accessible. You should also note, that like logging into a machine and
su'ing to root, this method requires the knowledge of two pieces of
information.
What I described is a method for going from a normal user on one machine
to the root user (or normal user) on a remote machine. What I suspect
you were asking is for a similar concept, but for the local machine.
This is easily achieved. The steps would be as follows;
1. Have your administrators[0] generate ssh-keys. Personally I insist on
having the keys be pass-phrase-proteced by that is up to you.
2. Take the contents of each administrator's ~/.ssh/id_sa.pub or
~/.ssh/id_rsa.pub files and append it to root's authorised key file;
3. Have the administrator issue the following command;
ssh [EMAIL PROTECTED]
If they need a pass-phrase to decrypt the key, then it will ask for one.
If a pass-phrase is not required for decrypting the key, then it will
let them in. If neither of these are true, then it will default back to
asking for a password.
>From memory, you can set certain accounts to require a pass-phrase, look
into ssh_config and sshd_config for more details.
All of this is provided without a warranty, please evaluate it against
your own security policy. Also, it was written without access to the
machines in question, so you should do your own due dillegence checks as
for its accuracy[1].
I hope it helps.
Kind Regards,
Nathan Dietsch
[0] I assume this is not for normal users
[1] I don't trust things that I read on a forum, at least not without
checking them first.
_______________________________________________
opensolaris-discuss mailing list
[email protected]
