[gentoo-user] OT -- superuser file manager access to remote via ssh with no root login?

[gentoo-user] OT -- superuser file manager access to remote via ssh with no root login?

[Michael Higgins]

I can't figure this one out. 

Have disallowed root login, public key auth.

Have a bunch of random renaming to do on that machine though, so would like to point and click for a change.

Is this possible? No GUI libs on the remote machine...

I was thinking sshfs, but since I can't login directly as root, is there some other way?

Cheers,

-- 
 |\  /|        |   |          ~ ~  
 | \/ |        |---|          `|` ?
 |    |ichael  |   |iggins    \^ /
 michael.higgins[at]evolone[dot]org

[gentoo-user] Re: OT -- superuser file manager access to remote via ssh with no root login?

[Nikos Chantziaras]

Michael Higgins wrote:
> I can't figure this one out. 
> 
> Have disallowed root login, public key auth.
> 
> Have a bunch of random renaming to do on that machine though, so would like to point and click for a change.
> 
> Is this possible? No GUI libs on the remote machine...
> 
> I was thinking sshfs, but since I can't login directly as root, is there some other way?

Don't think there's a way.  The simplest would be installing an X 
filemanager on the server but don't run X only on your machine (ssh -Y).

(Btw, in case you're using KDE, you don't need sshfs.  You can simply 
fish:// into your server in Dolphin or Konqueror.)

Re: [gentoo-user] OT -- superuser file manager access to remote via ssh with no root login?

[Alan McKinnon]

On Tuesday 24 February 2009 19:02:42 Michael Higgins wrote:
> I can't figure this one out.
>
> Have disallowed root login, public key auth.
>
> Have a bunch of random renaming to do on that machine though, so would like
> to point and click for a change.
>
> Is this possible? No GUI libs on the remote machine...
>
> I was thinking sshfs, but since I can't login directly as root, is there
> some other way?

Export temporarily via nfs or samba. With nfs, remember to set no_root_squash, 
which is highly unrecommended, leaving samba as actually quite decent for this 
kind of thing.

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] OT -- superuser file manager access to remote via ssh with no root login?

[Paul Hartman]

On Tue, Feb 24, 2009 at 11:02 AM, Michael Higgins <linux@evolone.org> wrote:
> I can't figure this one out.
>
> Have disallowed root login, public key auth.
>
> Have a bunch of random renaming to do on that machine though, so would like to point and click for a change.
>
> Is this possible? No GUI libs on the remote machine...
>
> I was thinking sshfs, but since I can't login directly as root, is there some other way?

I believe you can make a key to associate with one command only. So
perhaps you can allow root login, but the only root key is one that
runs scp. Then you can scp as root but no actual login as root is
possible to "normal" ssh.

Re: [gentoo-user] OT -- superuser file manager access to remote via ssh with no root login?

[Daniel Troeder]

[-- Attachment #1: Type: text/plain, Size: 1036 bytes --]

Am Dienstag, den 24.02.2009, 09:02 -0800 schrieb Michael Higgins:
> I can't figure this one out. 
> 
> Have disallowed root login, public key auth.
> 
> Have a bunch of random renaming to do on that machine though, so would like to point and click for a change.
> 
> Is this possible? No GUI libs on the remote machine...
> 
> I was thinking sshfs, but since I can't login directly as root, is there some other way?

Something like this might work:

# cp /etc/ssh/sshd_config /root/sshd_root_allow_config

Then edit /root/sshd_root_allow_config to allow root-login, to listen on
a port != 22 and to use another PID-file:
---
Port 222
PidFile /var/run/sshd_root_allow.pid
PermitRootLogin yes
---

Install app-admin/sudo and configure, that your login-user can execute
the following two commands (maybe only these!?!):
# sudo /usr/sbin/sshd -f /root/sshd_root_allow_config
# sudo kill $(cat /var/run/sshd_root_allow.pid)

Then you can use sshfs to port 222 between the two commands as root :)

Bye,
Daniel

[-- Attachment #2: Dies ist ein digital signierter Nachrichtenteil --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] OT -- superuser file manager access to remote via ssh with no root login?

[Mike Kazantsev]

[-- Attachment #1: Type: text/plain, Size: 1406 bytes --]

On Tue, 24 Feb 2009 09:02:42 -0800
Michael Higgins <linux@evolone.org> wrote:

> I can't figure this one out. 
> 
> Have disallowed root login, public key auth.
> 
> Have a bunch of random renaming to do on that machine though, so
> would like to point and click for a change.
> 
> Is this possible? No GUI libs on the remote machine...
> 
> I was thinking sshfs, but since I can't login directly as root, is
> there some other way?

I can see several solutions, as well:

1. Restrict root auth to public key and bind public key to your IP
only ( 'from="<IP>" ssh-dss ...' in authorized_hosts, or tcp wrappers ).

2. Create login like 'somerandomuser' (you can actually use a hash
here, if you're security-crazed) and disallow root auth from pam, not
sshd.

3. Since it sounds like you have no need to do it repeatedly, why not
open root and do the stuff? Provided you don't have '123' as password.


While I think security is overally a good thing, making some aspects of
it a pain in the ass is what I just can't understand in people: it may
take ages to pick the root password (provided you have right anti-brute
daemon installed), but they will make their lives miserable over
it, while leaving the same passwords typed in the terminals and written
on paper scraps lying on the desk, not to mention a lot of more obvious
things.

-- 
Mike Kazantsev // fraggod.net

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] OT -- superuser file manager access to remote via ssh with no root login?

[Stroller]

On 25 Feb 2009, at 03:42, Mike Kazantsev wrote:
> ...
> 3. Since it sounds like you have no need to do it repeatedly, why not
> open root and do the stuff? Provided you don't have '123' as password.

The voice of reason has entered the thread.

Stroller.

Re: [gentoo-user] OT -- superuser file manager access to remote via ssh with no root login?

[Michael Higgins]

On Wed, 25 Feb 2009 08:50:00 +0000
Stroller <stroller@stellar.eclipse.co.uk> wrote:

> 
> On 25 Feb 2009, at 03:42, Mike Kazantsev wrote:
> > ...
> > 3. Since it sounds like you have no need to do it repeatedly, why
> > not open root and do the stuff? Provided you don't have '123' as
> > password.
> 
> The voice of reason has entered the thread.

Indeed.

Thanks to all for the helpful replies. 

In the end, being on a deadline to complete this idiotic task (moving nested shared IMAP folders), I just emerged a comparatively lightweight file manager, 'pcmanfm' (as the "server" has some X libs on it) and did it via ssh with "-Y"... possibly the least secure option, but as was suggested, the easiest. '-)

Anyway, Gentoo community rocks! Some very clever proposals. Virtual beverages all around...

Cheers,

-- 
 |\  /|        |   |          ~ ~  
 | \/ |        |---|          `|` ?
 |    |ichael  |   |iggins    \^ /
 michael.higgins[at]evolone[dot]org