From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LcAfN-0000lE-Ts for garchives@archives.gentoo.org; Wed, 25 Feb 2009 03:42:38 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1EACAE0537; Wed, 25 Feb 2009 03:42:36 +0000 (UTC) Received: from mail.fraggod.net (unknown [91.191.238.58]) by pigeon.gentoo.org (Postfix) with ESMTP id CDFC5E0537 for ; Wed, 25 Feb 2009 03:42:35 +0000 (UTC) Received: from malediction (wall.mplik.ru [195.58.1.141]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.fraggod.net (Postfix) with ESMTPSA id 4F65B1589CC for ; Wed, 25 Feb 2009 08:42:34 +0500 (YEKT) Date: Wed, 25 Feb 2009 08:42:24 +0500 From: Mike Kazantsev To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] OT -- superuser file manager access to remote via ssh with no root login? Message-ID: <20090225084224.26a0a6b9@malediction> In-Reply-To: <20090224090242.40f2b26f@lappy.evolone.org> References: <20090224090242.40f2b26f@lappy.evolone.org> X-Mailer: Claws Mail 3.7.0 (GTK+ 2.14.7; i686-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/+mtuL1y0ckPVP9JVw99PmRC"; protocol="application/pgp-signature"; micalg=PGP-SHA1 X-Archives-Salt: 8c96bf03-e50e-408f-9b25-10213adb86ea X-Archives-Hash: 33715c7203b5147e12fb5a219eb02003 --Sig_/+mtuL1y0ckPVP9JVw99PmRC Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Tue, 24 Feb 2009 09:02:42 -0800 Michael Higgins wrote: > I can't figure this one out.=20 >=20 > Have disallowed root login, public key auth. >=20 > Have a bunch of random renaming to do on that machine though, so > would like to point and click for a change. >=20 > Is this possible? No GUI libs on the remote machine... >=20 > I was thinking sshfs, but since I can't login directly as root, is > there some other way? I can see several solutions, as well: 1. Restrict root auth to public key and bind public key to your IP only ( 'from=3D"" ssh-dss ...' in authorized_hosts, or tcp wrappers ). 2. Create login like 'somerandomuser' (you can actually use a hash here, if you're security-crazed) and disallow root auth from pam, not sshd. 3. Since it sounds like you have no need to do it repeatedly, why not open root and do the stuff? Provided you don't have '123' as password. While I think security is overally a good thing, making some aspects of it a pain in the ass is what I just can't understand in people: it may take ages to pick the root password (provided you have right anti-brute daemon installed), but they will make their lives miserable over it, while leaving the same passwords typed in the terminals and written on paper scraps lying on the desk, not to mention a lot of more obvious things. --=20 Mike Kazantsev // fraggod.net --Sig_/+mtuL1y0ckPVP9JVw99PmRC Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (GNU/Linux) iEYEARECAAYFAkmkviUACgkQASbOZpzyXnEzPQCgvC43IgYf4iTpIlRprZc8cc1J P8kAnibgE1U7TQyCPddjm+zXKj5b/Z28 =L/KB -----END PGP SIGNATURE----- --Sig_/+mtuL1y0ckPVP9JVw99PmRC--