how to "rsh -l root" WITHOUT typing password?

how to "rsh -l root" WITHOUT typing password?

Post by kalasend at YAHOO dot CO » Sun, 24 Jun 2001 09:04:50



I need to write a script so that it launches program on a remote host.
 
 
 

how to "rsh -l root" WITHOUT typing password?

Post by Jamie Norwo » Sun, 24 Jun 2001 10:06:00




Quote:>I need to write a script so that it launches program on a remote host.

First, use SSH, not RSH.

Second, research ways to do this that don't require allowing someone to log
in as root with no password.

Jamie

 
 
 

how to "rsh -l root" WITHOUT typing password?

Post by Kirk Strause » Sun, 24 Jun 2001 11:17:06



Quote:> I need to write a script so that it launches program on a remote host.

The solution I've used:

  1) Create a special user account on the remote host that won't be used for
     anything other than this one special purpose.

  2) Create an SSH identity file without a password and set the user from
     step #1 to use this.  Now you can SSH from the local machine to the
     special account on the remote machine without a password.

  3) If the remote account needs special (i.e. root) privileges, install and
     configure sudo on the remote machine, giving the special user account
     permission to run *only* the programs that it needs to, and nothing
     else.

Voila!  Now you have an easy-to-use remote account that can't be used for
anything other than the tasks you assign it.  Ensuring that those tasks are
securely executed is left as an exercise for the reader.
--
Kirk Strauser

 
 
 

how to "rsh -l root" WITHOUT typing password?

Post by Bill Vermilli » Sun, 24 Jun 2001 22:13:25





>> I need to write a script so that it launches program on a remote host.
>Voila! Now you have an easy-to-use remote account that can't be
>used for anything other than the tasks you assign it. Ensuring that
>those tasks are securely executed is left as an exercise for the
>reader.

And imagine my surprise when one day I telneted to a machine
soley to see the login prompt to find out what version of Linux
the new admin had installed to replace the FreeBSD that was on the
machine previously.

Imagine my surprise when with no login prompt and no password
prompt I was in / with a # prompt and full root privledges.

Anyone who permits any root type account to login in on anything
other than the console should be prepared for the worst.

--

 
 
 

how to "rsh -l root" WITHOUT typing password?

Post by Kirk Strause » Mon, 25 Jun 2001 10:47:49



Quote:> Anyone who permits any root type account to login in on anything other
> than the console should be prepared for the worst.

I agree completely.  That's why I specifically recommend creating a special
non-root user, and then giving that user a well-defined set of privileges,
perhaps even in a chroot or jail environment.

I have to enable root-level remote access to a few servers that I have
colo'ed in various places, but it requires an RSA login (no password, even
over SSH, ever!!!) from a short list of approved addresses to an account
that can't do anything but su.  A would-be attacker would have to have my
identity file, access to one of my 'not completely distrusted' machines, my
passphrase, and finally the root password.  I'm unaware of any extra steps I
can take, short of building a hardened Kerberos installation.
--
Kirk Strauser

 
 
 

how to "rsh -l root" WITHOUT typing password?

Post by Bill Vermilli » Mon, 25 Jun 2001 23:44:02





>> Anyone who permits any root type account to login in on anything other
>> than the console should be prepared for the worst.
>I agree completely. That's why I specifically recommend creating a
>special non-root user, and then giving that user a well-defined set
>of privileges, perhaps even in a chroot or jail environment.

Our posts probably crossed. I'm not full-time connected on my
mail/news machine as it's dialup and sucknews and fetchmail
process. And depending on the upper leve news machine sometimes it
chokes.

Quote:>I have to enable root-level remote access to a few servers that I
>have colo'ed in various places, but it requires an RSA login (no
>password, even over SSH, ever!!!) from a short list of approved
>addresses to an account that can't do anything but su. A would-be
>attacker would have to have my identity file, access to one of my
>'not completely distrusted' machines, my passphrase, and finally
>the root password. I'm unaware of any extra steps I can take, short
>of building a hardened Kerberos installation.

I do about the same. If I ever need something stronger I'm only
20 minutes away from the colo and that is really secure. I lost a
Cicso router one night - infant mortality - and it's strange to be
the only person in or near the building at 4AM. {but big brother is
always watching over the closed circuit monitors}.

You can never have too much security.  Sometimes it's a bit painful
to go through the steps, but better to be safe than sorry.
--

 
 
 

1. How to "rcp"/"rsh" as "root"?

Hi all.

I guess this is a security safeguard; I find that I cannot use "rcp" and
"rsh" to operate another Linux machine while being the root user. How do I
enable this? I need this in order to transfer, load and map drivers, as
per the scripts accompanying KGDb. (Security is not a concern for now.)

I am using RedHat 7.2 with kernel 2.4.18.

If you see a 'X' in my address, remove it before e-mailing me.

-------------------------------------------------------------------------------
The FAQ files v1.21 for the Tropez, and v1.01 for the TBS-2001 sound
boards can be obtained from:
http://www.landfield.com/faqs/PCsoundcards/
http://www.cs.colorado.edu/~mccreary/tbeach/faq.html
http://www.pasteur.fr/infosci/FAQ/PCsoundcards/
http://faqs.org/faqs/by-newsgroup/comp/comp.sys.ibm.pc.soundcard.misc...
-------------------------------------------------------------------------------

2. Alt Key, Meta Key on Solaris 5.7 X terminal?

3. Type "(", ")" and "{", "}" in X...

4. Wide open question..

5. "Login" and "su" issue with root password

6. Speedtouch USB DSL modem

7. GETSERVBYNAME()????????????????????"""""""""""""

8. Netscape Calendar problem -- Warning: IconFileCache error message

9. """"""""My SoundBlast 16 pnp isn't up yet""""""""""""

10. Question on "rsh" from user "nobody"

11. Replacing the "rsh" and "rcp" commands with ssh substitutes on PSSP 3.2

12. looking for a free "to to list"/"scheduler" type app

13. No "taxation" without "representation"