I access over 100 SUSE SLES servers as root from my admin server, via ssh sessions using ssh keys, so I don't have to enter a password. My SUSE Admin server is setup in the following manner:
1) Remote root access is turned off in the sshd_config file.
2) I am the only user of this admin server.
3) My user account is not allowed sudo access, so I must use su and know the root password.
4) ssh keys are setup to the remote servers root accounts.
What I need, in order to satisfy the auditors is a password being required when I use ssh. However, the ssh passphrase will not work since it will require a login password at each server. I need something that will require a password once, so I can do a script to hit all servers without having to enter a password at each server the script hits.
So, you have explicitly disabled direct root logins -- then banned the other safe automatic login tool. Do you truly need root?
If you allowed direct root login, you could create an ssh key that has its own password, so you must provide the password to your ssh client to use the key. And you could use ssh-agent to hold the key around temporarily for convenience (or not, to just be asked for the password every time.)
If you allowed sudo instead, you could disable direct root logins and use the same scheme to login to a non-root account with sudo access. It could be a special account for this purpose and no other, so you could flag it and only it in sudoers. This is what I do.
# If ssh agent strings already set, and the PID is valid,
# no further work is needed.
[ ! -z "${SSH_AGENT_PID}" ] &&
[ -d "/proc/${SSH_AGENT_PID}" ] &&
return
function ssh_agent_kill
{
[ -z "$SSH_AGENT_PID" ] && return
if flock -w 0 -x 200
then
echo "We are the last. Killing $SSH_AGENT_PID"
kill "$SSH_AGENT_PID" ||
echo "WARNING, ssh-agent $SSH_AGENT_PID not killed" >&2
: > ~/.ssh_agent
chmod 600 ~/.ssh_agent
flock -u 200
fi
}
[ ! -f ~/.ssh-agent ] && touch ~/.ssh-agent && chmod 600 ~/.ssh_agent
# Open file so we can play with locks
exec 200<~/.ssh-agent
NEW_AGENT=0
if flock -w 1 -x 200
then
echo "Creating new ssh-agent instance" >&2
:>~/.ssh-agent
chmod 600 ~/.ssh-agent
ssh-agent -s > ~/.ssh-agent
NEW_AGENT=1
elif [ ! -d "/proc/${SSH_AGENT_PID}" ]
then
cat <<EOF >&2
PID ${SSH_AGENT_PID} no longer exists, but you still have sessions open.
Please close these sessions, then source $0 again to create a new
instance.
EOF
fi
# Make it a shared lock, to signify its readable
if ! flock -w 1 -s 200
then
echo "We cannot share-lock"
return 2>/dev/null || exit 1
fi
source ~/.ssh-agent
[ "${NEW_AGENT}" == 1 ] && ssh-add
trap "ssh_agent_kill" EXIT
So when I login to my local account, it loads ssh-agent which adds my keys (asking once for my passwords). Further simultaneous logins do not get asked.
If my shell sessions are hard-killed for some reason, that might leave ssh-agent hanging, so I added this to my own (not root's!) crontab:
* 1 * * * /usr/bin/killall ssh-agent ; true
...which means in the morning, I login and ssh-agent loads my keys for the duration of the workday, and I can 'ssh -t servername exec sudo bash' to get passwordless root prompts if I really need to.
At the end of the day, the last logout kills ssh-agent automatically. And if it should happen to be missed because of a hard-kill or other problem, it will be killed automatically at 1am.
I have only disabled remote root login from my admin server. All the servers I access from my admin server still have remote login turned on. However, security is asking that I disable all remote root logins.
---------- Post updated at 05:46 PM ---------- Previous update was at 05:45 PM ----------
I am not familiar with ssh-agent. I will take a look at that. Thanks.
you should disable all remote root logins including your access to your admin server ... all root access should only be at the local terminal, a secure terminal server or through su/sudo ... root logins at the terminal or terminal server should only be for emergencies (i.e., recovering a server that is not booting) and not done as standard practice so everybody gets used to su/sudo which gets logged ... auditors like logs ...
btw, you can still run remote commands with ssh with keys with that setup -- you just cannot login directly as root ...