| 37 | | If ed25519 is not available on OSX, install openssl via homebrew ([http://epocsquadron.com/a-comprehensive-ssh-key-primer/ reference]). |
| | 38 | If ed25519 is not available on OSX, install `openssh` via homebrew ([http://epocsquadron.com/a-comprehensive-ssh-key-primer/ reference]). |
| | 39 | |
| | 40 | = Configuring an OpenSSH client and server for secure root login = |
| | 41 | |
| | 42 | Suppose you want to be able to log in to host B from host A, both as your user and as the superuser. The latter you need in case you want to use e.g. `rsync` from B to A as superuser to read otherwise inaccessible files on B's filesystem. You want to use key pairs with passphrase-protected private keys and no password authentication. The only exception where passwords are at play at all, is for your OS account and `sudo`. You want the barrier to log in as root to be at least as strong as logging in as your user and then performing `sudo su`. |
| | 43 | |
| | 44 | Generate two key pairs, with base file names `root@B` and `yourusername@B`. |
| | 45 | |
| | 46 | Edit your OpenSSH client configuration on A to point to the file paths of these keys, for instance: |
| | 47 | `~/.ssh/config`: |
| | 48 | {{{ |
| | 49 | Match originalhost B |
| | 50 | HostName B.Bdomain.Btld |
| | 51 | Match originalhost B user root |
| | 52 | IdentityFile "%d/.ssh/keypairs/root@B" |
| | 53 | Match originalhost B user sanmai |
| | 54 | IdentityFile "%d/.ssh/keypairs/yourusername@B" |
| | 55 | }}} |
| | 56 | |
| | 57 | Make sure you can log in to B as your user and that you are allowed to perform `sudo -e`. Also make sure that the OpenSSH server configuration is otherwise secure, f.i. forbidding any authentication method other than `PubKeyAuthentication`. |
| | 58 | Now edit the OpenSSH server configuration and put at the end of the file: |
| | 59 | `/etc/ssh/sshd_config`: |
| | 60 | {{{ |
| | 61 | PermitRootLogin no |
| | 62 | |
| | 63 | Match LocalAddress 127.0.0.1 |
| | 64 | PermitRootLogin without-password |
| | 65 | }}} |
| | 66 | |
| | 67 | Or to be compatible with IPv6 (untested): |
| | 68 | `/etc/ssh/sshd_config`: |
| | 69 | {{{ |
| | 70 | PermitRootLogin no |
| | 71 | |
| | 72 | Match LocalAddress 127.0.0.1,::1 |
| | 73 | PermitRootLogin without-password |
| | 74 | }}} |
| | 75 | |
| | 76 | Restart the OpenSSH daemon. |
| | 77 | |
| | 78 | == Logging in == |
| | 79 | Using this setup is rather simple: |
| | 80 | `ssh yourusername@B` |
| | 81 | or |
| | 82 | `ssh root@B` |
| | 83 | |
| | 84 | When authenticating as root, you will be asked both the passphrase of the private key you associated with yourusername as well as that or the private key for root. |
| | 85 | |
| | 86 | `rsync root@B:/etc/hostname /tmp/hostname` |
| | 87 | |
| | 88 | '''Only use the root private key when it's absolutely necessary.''' |
| | 89 | |
| | 90 | This way you concentrate your activity within the easier to audit sudo framework, and you will reduce your susceptibility to compromise of the passphrase for root@B by means of keylogging on A. |
