37 | | If ed25519 is not available on OSX, install openssl via homebrew ([http://epocsquadron.com/a-comprehensive-ssh-key-primer/ reference]). |
| 38 | If ed25519 is not available on OSX, install `openssh` via homebrew ([http://epocsquadron.com/a-comprehensive-ssh-key-primer/ reference]). |
| 39 | |
| 40 | = Configuring an OpenSSH client and server for secure root login = |
| 41 | |
| 42 | Suppose you want to be able to log in to host B from host A, both as your user and as the superuser. The latter you need in case you want to use e.g. `rsync` from B to A as superuser to read otherwise inaccessible files on B's filesystem. You want to use key pairs with passphrase-protected private keys and no password authentication. The only exception where passwords are at play at all, is for your OS account and `sudo`. You want the barrier to log in as root to be at least as strong as logging in as your user and then performing `sudo su`. |
| 43 | |
| 44 | Generate two key pairs, with base file names `root@B` and `yourusername@B`. |
| 45 | |
| 46 | Edit your OpenSSH client configuration on A to point to the file paths of these keys, for instance: |
| 47 | `~/.ssh/config`: |
| 48 | {{{ |
| 49 | Match originalhost B |
| 50 | HostName B.Bdomain.Btld |
| 51 | Match originalhost B user root |
| 52 | IdentityFile "%d/.ssh/keypairs/root@B" |
| 53 | Match originalhost B user sanmai |
| 54 | IdentityFile "%d/.ssh/keypairs/yourusername@B" |
| 55 | }}} |
| 56 | |
| 57 | Make sure you can log in to B as your user and that you are allowed to perform `sudo -e`. Also make sure that the OpenSSH server configuration is otherwise secure, f.i. forbidding any authentication method other than `PubKeyAuthentication`. |
| 58 | Now edit the OpenSSH server configuration and put at the end of the file: |
| 59 | `/etc/ssh/sshd_config`: |
| 60 | {{{ |
| 61 | PermitRootLogin no |
| 62 | |
| 63 | Match LocalAddress 127.0.0.1 |
| 64 | PermitRootLogin without-password |
| 65 | }}} |
| 66 | |
| 67 | Or to be compatible with IPv6 (untested): |
| 68 | `/etc/ssh/sshd_config`: |
| 69 | {{{ |
| 70 | PermitRootLogin no |
| 71 | |
| 72 | Match LocalAddress 127.0.0.1,::1 |
| 73 | PermitRootLogin without-password |
| 74 | }}} |
| 75 | |
| 76 | Restart the OpenSSH daemon. |
| 77 | |
| 78 | == Logging in == |
| 79 | Using this setup is rather simple: |
| 80 | `ssh yourusername@B` |
| 81 | or |
| 82 | `ssh root@B` |
| 83 | |
| 84 | When authenticating as root, you will be asked both the passphrase of the private key you associated with yourusername as well as that or the private key for root. |
| 85 | |
| 86 | `rsync root@B:/etc/hostname /tmp/hostname` |
| 87 | |
| 88 | '''Only use the root private key when it's absolutely necessary.''' |
| 89 | |
| 90 | This way you concentrate your activity within the easier to audit sudo framework, and you will reduce your susceptibility to compromise of the passphrase for root@B by means of keylogging on A. |