Auditors want more security with root to root access via ssh keys

Discussion in 'Server Security' started by dvbell, Jul 11, 2013.

  1. dvbell

    dvbell New Member

    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    I access over 100 SUSE SLES servers as root from my admin server, via ssh sessions using ssh keys, so I don't have to enter a password. My SUSE Admin server is setup in the following manner:

    1) Remote root access is turned off in the sshd_config file.
    2) I am the only user of this admin server.
    3) My user account is not allowed sudo access, so I must use su and know the root password.
    4) ssh keys are setup to the remote servers root accounts.

    What I need, in order to satisfy the auditors, is a password being required when I use ssh. However, the ssh passphrase will not work since it will require a login password at each server. I need something that will require a password once, so I can do a script to hit all servers without having to enter a password at each server the script hits.


    Any ideas? Thanks in advance.
  2. Rob

    Rob Administrator Staff Member

    Messages:
    573
    Likes Received:
    185
    Trophy Points:
    43
    You can set up a password for your ssh key - most breeze buy it during ssh-keygen. It would require putting your key on all those servers again however since it would re-create it.
  3. JDG

    JDG New Member

    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    3
    I've done what you describe using PuTTy Agent (Pagent). This requires a passphrase for your key prior to loading it for use by agent and later the SSH client (PuTTy).

    I of course am doing this for a Windows machine because of my constraints in the office, and I do recall seeing a brief tutorial on how to accomplish the same thing natively in Ubuntu.

    Keep in mind methods like these do keep your passphrase in memory as well which can be an issue if your memory registers get harvested, and also an issue if a keylogger is dropped on your admin system.
  4. dvbell

    dvbell New Member

    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Thanks all. I appreciate the ideas. I'll look into Pagent. I'm working on getting Puppet Enterprise setup so I can update config files via Puppet instead of accessing the servers directly. I'm trying to reduce keystrokes so my carpel tunnel doesn't act up. :) Thanks again.

Share This Page