[RndTbl] SSH to a role (not exactly)
Theodore Baschak
theodore at ciscodude.net
Sat Mar 7 18:08:12 CST 2015
> On 7 Mar 2015, at 02:39, Trevor Cordes <trevor at tecnopolis.ca> wrote:
>
> On 2015-03-06 Kevin McGregor wrote:
>> Augh. Sorry for the lame-ass question. Forget what I said. Anyway:
>>
>> <command I run as root> | ssh <dest-host> "command I need to run as
>> root"
>>
>> I can set up the SSH keys so this works without passwords, but I only
>> understand how to make that work when 'root' is an account and not a
>> "role". So I guess I should look into how to run commands with a
>> specific user account which can run the zfs command and set up the
>> SSH keys so it works without requiring a password.
>
> 1. Setup sudo(ers) (I'm sure Solaris has an equivalent?) for the
> "command I need to run as root" on <dest-host> so that the normal user
> can run said command as root without root creds or pw's at all.
>
> or
>
> 2. Allow root login in ssh and lock down that box's firewall (if it has
> one) to only allow ssh from trusted IPs. If you want to make that
> policy leap, and are allowed to. (Sure, it's not perfect.) I never
> understood, really, why people don't like ssh allow-root, because a
> determined hacker who got your user creds can just plant a logger and
> capture your root creds when you first su into root anyhow, or just get
> your root creds the same way they got your user creds. And root
> escalation vulns are the most common thing around. So all you do is
> slow them down a bit, which is a good thing mind you, but root ssh is
> *so* handy to have... but I digress.
>
> Again, I have no idea about Solaris "roles" and how it helps/hinders
> you. Perhaps you could give a brief explanation of Solaris roles? If
> for nothing more than my curiosity.
>
> Sorry if the linux-ish of my answers is unhelpful for Solaris. I
> tried, so you're not left with nothing but crickets.
I read the following blog the other day with one guys struggles (and success) to do zfs send/receive as non-root:
http://dan.langille.org/2015/02/16/zfs-send-zfs-receive-as-non-root/
This blog was written using FreeBSD, so I'm not sure if the zfs allow commands would work on Solaris, but since ZFS comes from Solaris first I'd kind of assume so.
--
Theo Baschak
BOFH excuse #67:
descramble code needed from software company
More information about the Roundtable
mailing list