Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"
 
PerlMonks  

Re: qx//, ssh -t (pseudo-tty) and sudo

by Roger (Parson)
on Nov 07, 2003 at 13:57 UTC ( [id://305293]=note: print w/replies, xml ) Need Help??


in reply to qx//, ssh -t (pseudo-tty) and sudo

Since you have sudo access on the remote machine, and you have Secure Shell working on both machines, why don't you just ssh directly as root onto the target machine? Do you have any security concerns? (Roger thinks ssh->root is as secure/insecure as ssh->sudo.)

Replies are listed 'Best First'.
Re: Re: qx//, ssh -t (pseudo-tty) and sudo
by bugsbunny (Scribe) on Nov 07, 2003 at 19:29 UTC
    hmm :"),
    sorry i didn mentioned it.. this is a part of a script that does many other things..I want a script not a manualy doing this
    And SUDO usage is the thing that guerantees security.. as many of u know giving root direct ssh access is not a good thing..i dont do it too :")
    it has to always happen trought other user i.e. log as user X and switch to root only if nececary.
    Now sudo is the only secure way to give non-root users some privileges, but not all.
    Here comes the next barier i.e. the use of keychain(ssh-askpasswd! and so) which prevents multiple time entering password and doesnt transffer passwords over the wire.
    In fact there is no other good secure method for restarting services automaticly via scripts over the network. I searched alot :"). if u know other way pls tell me
    So back on the problem SUDO for some reason when ask for a password displays the password at the time I type it.
    When I was doing this in shell script I solved the problem by specifyng "-t" switch. (with it the password is not shown while I type it.)
    Now this trick doesnt work under perl. And from the responses and from my google search it seem to be really tricky thing...
[reply]
Re: Re: qx//, ssh -t (pseudo-tty) and sudo
by shockme (Chaplain) on Nov 12, 2003 at 01:03 UTC
    Way OT here, but there is a huge difference between using ssh as root and using ssh as a normal user who has sudo privileges.

    While the differences are too numerous to mention, it is important to remember root is all-powerful. Period. No questions asked.

    sudo is highly configurable as to which user/group can do what. You can fine-tune which user can do X, which group can do Y, etc.

    I'll take 1,000 users with sudo privileges over 1,000 users logging in as root any day. At a minimum, I can look at the logs and see who did what, as opposed to thousands of entries showing root logging in, and then one entry where root rm -rf /.

    If things get any worse, I'll have to ask you to stop helping me.

[reply]
      sudo is highly configurable as to which user/group can do what. You can fine-tune which user can do X, which group can do Y, etc.

      Agreed, but once I convinced the system admin that I had to do sudo make to compile some program. Having obtained the sudo access, I made a simple Makefile that called a script that modified the sudoer file, and gave me total control of the system. :-)

[reply]
[d/l]
        Given that /etc/sudoers is supposed to be read-only (444), this smacks of an insecure installation.

        However, my point was not that sudo is perfection, only that it is far more preferable to allowing root access to ssh.

        If things get any worse, I'll have to ask you to stop helping me.

[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://305293]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others contemplating the Monastery: (5)
As of 2024-04-19 11:20 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found