Recipe 5.18 Sharing root Privileges via SSH

5.18.1 Problem

You want to share superuser privileges with other users but not reveal the root password.

5.18.2 Solution

Append users' public keys to ~root/.ssh/authorized_keys.[1] [Recipe 6.4] Users may then run a root shell:

[1] In older versions of OpenSSH, the file for SSH-2 protocol keys is authorized_keys2.

$ ssh -l root localhost

or execute commands as root:

$ ssh -l root localhost ...command...

5.18.3 Discussion

As an alternative to su, you can use ssh to assign superuser privileges without giving out the root password. Users connect to localhost and authenticate by public key. (There's no sense using password authentication here: you'd have to give out the root password, which is exactly what we're trying to avoid.)

This method is more flexible than using su, since you can easily instate and revoke root privileges: simply add and remove users' keys from ~root/.ssh/authorized_keys. However, it provides less logging than sudo: you can learn who became root (by log messages) but not what commands were run during the SSH session.

Some discussion points:

  • Make sure /etc/ssh/sshd_config has PermitRootLogin yes specified.

  • ssh is built for networking, so of course you can extend the scope of these root privileges to remote machines the same way. Instead of connecting to localhost, users connect to the remote machine as root:

    $ ssh -l root remote_host
  • Users can avoid passphrase prompts by running ssh-agent. [Recipe 6.9] This feature must be balanced against your security policy, however. If no passphrase is required for root privileges, then the user's terminal becomes a target for attack.

  • For more security on a single machine, consider extending the method in this way:

    1. Run a second sshd on an arbitrary port (say 22222) with an alternative configuration file (sshd -f).

    2. In the alternative configuration file, set PermitRootLogin yes, and let the only method of authentication be PubkeyAuthentication.

    3. Disable all unneeded options in authorized_keys; in particular, use from="" or from="your actual IP address" to prevent connections from other hosts to your local root account.

    4. In your firewall, block port 22222 to prevent unwanted incoming network connections.

    5. For convenience and abstraction, create a script that runs the command:

      ssh -p 22222 -l root localhost $@

5.18.4 See Also

ssh(1), sshd(8), sshd_config(5).

    Chapter 9. Testing and Monitoring