If I am doing ssh to Linux box and run the few heavy GUI application then I have [SOLVED] ssh uses remote machine's hardware or local machine's hardware Welcome to the most active Linux Forum on the web. Each Host defines the start of a new host section. Hostname is the target hostname or IP address of that host. User is what you would provide as the user part in ssh user@hostname. ProxyCommand will be used as the pipe to the target machine.
Sono l’autore di - Come ottenere tutto quello che vuoi e molto prima di quanto pensi, - Come vivere la migliore versione di se stessi e - Come essere produttivi nell’era delle distrazioni. Sono il Fondatore e Direttore della piattaforma per lo sviluppo e la crescita personale e professionale.
Sono impegnato a sostenere le persone che credono di poter cambiare in meglio la prospettiva esistenziale e vincere. Se ti senti un naufrago e cerchi il modo per tornare a riva e ricominciare, se sei pronto per progettare e iniziare un nuovo ciclo esistenziale, sei approdato nel luogo giusto. Totale Iscritti.
I've got a few boxes all networked together on Amazon EC2, each of which are in automated communication with each other via SSH (rsync, etc). As such, I've created SSH keys on each of these machines to allow them to SSH into each other without requiring a password. Likewise, my personal account is key-based and passwordless as well. To the best of my knowledge, I've secured SSH appropriately using the well-documented methods. Under this configuration, I notice that I don't have to provide a password to use sudo. If I try to su root, I get nowhere, because root doesn't have a password.
However, if I run a sudo -i, I am asked for no password, and am immediately granted root. That worries me a bit. So, two questions:. Should this worry me, or am I being too paranoid?. Is it possible to set a sudo password when using key-based SSH authentication? Several of these boxes are web servers, and are hosting web applications of what I fear to be dubious quality.
(I didn't write them, so they're dubious!) I've got Apache and the permissions on the servers configured such that a very unprivileged user (www-data) is serving the files, but my fear is that - somehow - an attacker could compromise a web application, escalate privileges to a more privileged user, and then simply sudo -i to root. I'm not aware of a vulnerability in my software that would allow www-data to escalate its privileges, but I would prefer having a password in place to use sudo were that somehow to happen. Also, for the record: I did try to set a password by logging in via SSH and then running passwd, but it threw an error. I don't remember the exact phrasing, but it was something about a 'token'.
Either way, the password didn't stick, which makes me think I'm misunderstanding something at a fundamental level here. Any illumination on the subject would be very much appreciated. Update: 7 December 2011 - Thanks for the thoughtful explanations, all. It does in fact seem like the issue lies in /etc/sudoers. Thanks for pointing me in that direction. I figured I'd document this for the sake of completing the discussion. When I looked into /etc/sudoers, I encountered the following lines: # ubuntu user is default user in ec2-images.
# It needs passwordless sudo functionality. Ubuntu ALL=(ALL) NOPASSWD:ALL I am, in fact, using the ubuntu user for my privileged operations (though, again, the webserver is only running as www-data), so I guess that explains the issue I was having. If anyone wants to follow up with a guess why the ubuntu user needs passwordless sudo functionality, I'd love to hear it. Otherwise, at least for the time being, I think I'll let good enough alone and leave the configuration as-is. I don't want to break a working system while trying to preemptively solve a non-existent problem. Thanks again for lending your time and expertise. The reason you're not being prompted for a sudo password is because your user (or usergroup) has NOPASSWD enabled in /etc/sudoers.
Is It Possible To Ssh To The Xhyve Machine Free
You can edit this file with visudo as root. Regarding passwordless authentication, you are correct that public key authentication is a preferred method for authenticating to servers. If there is no password to guess, then no brute force attempt can succeed. The fact that you have no root password at all violates some best practices, but as you correctly stated, if a key is required to get into the box, it is probably alright. Having a root password might encourage you to use SSH to login as root, which should be disabled in your sshdconfig. The only question I have relates to one of your last paragraphs: Also, for the record: I did try to set a password by logging in via SSH and then running passwd, but it threw an error.
I don't remember the exact phrasing, but it was something about a 'token'. Either way, the password didn't stick, which makes me think I'm misunderstanding something at a fundamental level here.
You were unable to set a password while sudo'd to root? Or just as a regular user? Having public key authentication in place shouldn't stop you from setting a userspace password, nor a root password. It looks like you might be encountering, so hopefully that will help a bit. I hope I answered the security side of your question; feel free to add a comment or followup if you need more information!
You can set a password to root while you have SSH key-auth enabled. In Ubuntu disrto for example root account is 'disabled'. You can sudo to the account that was created during the installation, which will run with root privilege.
If you run www-data$sudo -i you should get the following message: www-data is not in the sudoers file. This incident will be reported. What dshaw mentioned is usually disabled in Ubuntu #%sudo ALL=NOPASSWD: ALL So it's good to check it out as you shouldn't be able to run sudo -i and get root without entering a password.
Hope this helps.