[RndTbl] SSH to a role (not exactly)

Trevor Cordes trevor at tecnopolis.ca
Sat Mar 7 02:39:34 CST 2015


On 2015-03-06 Kevin McGregor wrote:
> Augh. Sorry for the lame-ass question. Forget what I said. Anyway:
> 
> <command I run as root> | ssh <dest-host> "command I need to run as
> root"
> 
> I can set up the SSH keys so this works without passwords, but I only
> understand how to make that work when 'root' is an account and not a
> "role". So I guess I should look into how to run commands with a
> specific user account which can run the zfs command and set up the
> SSH keys so it works without requiring a password.

1. Setup sudo(ers) (I'm sure Solaris has an equivalent?) for the
"command I need to run as root" on <dest-host> so that the normal user
can run said command as root without root creds or pw's at all.

or

2. Allow root login in ssh and lock down that box's firewall (if it has
one) to only allow ssh from trusted IPs.  If you want to make that
policy leap, and are allowed to.  (Sure, it's not perfect.)  I never
understood, really, why people don't like ssh allow-root, because a
determined hacker who got your user creds can just plant a logger and
capture your root creds when you first su into root anyhow, or just get
your root creds the same way they got your user creds.  And root
escalation vulns are the most common thing around.  So all you do is
slow them down a bit, which is a good thing mind you, but root ssh is
*so* handy to have... but I digress.

Again, I have no idea about Solaris "roles" and how it helps/hinders
you.  Perhaps you could give a brief explanation of Solaris roles?  If
for nothing more than my curiosity.

Sorry if the linux-ish of my answers is unhelpful for Solaris.  I
tried, so you're not left with nothing but crickets.


More information about the Roundtable mailing list