Proper use of ssh

I have five devices on my network that are running Leap 15.4. When it is time to do updates on them (usually weekly) I open 5 instances of Konsole and use ssh to connect to the other four and do zypper up on each one, at the same time. I realize this puts a strain on my internet connection but my ISP has no problem with this so neither do I. My usual policy is, as I said, to connect to each of the remote devices using ssh as a user account on each of the remote devices, then become root (su -) and then do zypper up.

My question (finally) is: Is there any security risk involved connecting as root? Or should I connect using a user account and becoming root as I have been doing? Connecting as root would certainly save myself a bunch of keystrokes but I am thinking of the command “Thou shalt never log in as root!”. Does that apply to this situation?

Bart

I’m not sure I understand the question

I have not done this for many years
But when I did
I went as a normal user, ssh to the remote machine
Once there you become su -
to apply the updates. You are in effect now a konsole in the remote machine.

Are you saying. You become root before you ssh the remote machine?
I never did that
I wouldn’t expect that would give you root control on the remote machine, surely you would need to become root there also.

Huh. When I wrote it, I understood it completely! rotfl!

Let me try again.

My usual procedure:

[FONT=monospace]bart@ASU-X99:~> ssh bart@server 
Password:  
Last login: Sat Oct 22 19:48:11 2022 from 10.118.10.5 
Have a lot of fun... 
bart@DEL-OSS:~> su - 
Password:  
**DEL-OSS:~ #** zypper up
[/FONT]

My proposed procedure:

bart@ASU-X99:~> ssh root@server 
Password:  
Last login: Sat Oct 22 19:49:25 2022 from 10.118.10.5 
Have a lot of fun... 
**DEL-OSS:~ #** zypper up 

In other words, logging into the server as root instead of a user.

I’m wondering if there are any security implications if I did this.

By the way, you said you USED to do it this way. Is there a better way of doing this I should be using?

Bart

No keystrokes needed. ssh supports passwordless authentication. You may allow root login but turn off password authentication:

**6700K:~ #** cat /etc/ssh/sshd_config 
PermitRootLogin yes 
PasswordAuthentication no 
**6700K:~ #** 

With the above duping a remote host is easy:

**6700K:~ #** ssh erlangen zypper dup 
Loading repository data... 
Reading installed packages... 
Warning: You are about to do a distribution upgrade with all enabled repositories. Make sure these repositories are compatible before you continue. See 'man zypper' for more information about this command. 
Computing distribution upgrade... 
Nothing to do. 
**6700K:~ #**

My question (finally) is: Is there any security risk involved connecting as root? Or should I connect using a user account and becoming root as I have been doing? Connecting as root would certainly save myself a bunch of keystrokes but I am thinking of the command “Thou shalt never log in as root!”. Does that apply to this situation?

See man ssh, section AUTHENTICATION.

As Karl wrote, use keys, the ~/.ssh/ssh/config for short Names of the Servers.

Use as User:

ssh-keygen

without Passphrase to get an key for login without Password

ssh-copy-id 

to copy it to the the Server

Now disable PasswordAuthentication in /etc/sshd/sshd_config on the Server.

grep -i passwordauth /etc/ssh/sshd_config
PasswordAuthentication no

You can use ~/.ssh/config for short names of your Server:

stephan@linux64:~> cat .ssh/config 

Host raspi
    Hostname    192.168.0.202
    Port        22
    User        pi

stephan@linux64:~> ssh raspi
Please note that SSH may not work until a valid user has been set up.

See http://rptl.io/newuser for details.
Linux raspi 5.15.61+ #1579 Fri Aug 26 11:08:59 BST 2022 armv6l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Sep 16 11:45:38 2022 from 192.168.0.2
pi@raspi:~ $ 

But my real question is: Is it less secure to ssh into a device as root than it is to ssh into a device as a user and then become root.

I know I can set up the config file to log in as either a user or root, depending on where I locate the public key on the server and the settings in the config file. But is there a security risk with using root?

Bart

Risks associated with remote access do exist.

tl;dr: No it’s not really harmful if you know how to manage a server properly.

Your mileage may vary: security - Why is root login via SSH so bad that everyone advises to disable it? - Unix & Linux Stack Exchange

Is it less secure to have one lock than to have two different locks?

Two different locks won’t be more secure than a single one if they are bypassed.

“If you really want to allow root logins, the following server configuration example shows how to configure the server to accept only public-key authentication (Section 23.6, “Public key authentication”) for the root user.”

I have not read all the advice above, thus there can be some very good things there, but this is what I do and would recommend. This is from my KDE session as henk. I first change to my system manager user mgi because that is the one I have on all the systems I manage (henk is for my personal work, banking, e-mail, browsing, the forums, …) and that is the one that is configured for the SSH connection.

henk@boven:~> su - mgi ; exit
Password: 
mgi@boven:~> ssh beneden ; exit
Password: 
Last login: Mon Sep  5 14:17:51 2022 from 10.0.0.154
Have a lot of fun...
mgi@beneden:~> su - ; exit
Password: 
beneden:~ # 

The exits are there to make stopping more spectacular :wink: , just one exit for root and the konsole window closes.

So you claim that public-key authentication cannot be bypassed.

That got my attention! Where can I find the information that would prompt that statement?

That said, I believe I have my answer. I’ll set my system to disable root logins, log in as a user and do su - to get root access.

Thanks all!

Bart

Nope!

“Because SSH has been commonly used for over a decade with little oversight, organizations can have hundreds of thousands of valid SSH keys with no insight into where these SSH keys live, what trusts exist between key pairs or who has access to the keys. Without any control over these keys, it can be easy for an attacker to compromise an SSH key and use it to gain persistent access to critical systems – without raising any red flags. Worse, when organizations take proactive steps to control password-based access to privileged accounts on Unix and Linux systems, SSH key-based access can be used to bypass these privileged account management controls. As a result, organizations can be left with an increased risk of attack using SSH keys and little, if any, ability to detect a key compromise.”

I reiterate: No it’s not really harmful if you know how to manage a server properly.

Hi Bart
I’m assuming this is a internal network, all connected to a router running a firewall and no external ssh access? If so you should be fine, You could always just look at using wireguard and create point to point connections?

Use the likes of cockpit to manage (I use it for my MicroOS systems).

I guess I should have made clear that this is all on an internal network. I have no known ports open to the outside.

Thanks again.

Bart

Hi, Bart, nice to see you are still around!

I have a similar situation. I ssh as root to each machine, no worries about that. Remember, you are NOT in the GUI, but in the CLI, where you are MUCH safer. Also, because you are within your internal network, and I would bet you are behind a router/router-modem, you have plenty of firewall with that router and with your Firewall running on each machine. SSH is secure, as I am sure you know, so anything in your internal network can’t do “man in the middle”.

so, go ahead,

ssh root@xxx.xxx.xxx.xxx

in confidence.

BTW: I have been doing this safely for a-gazillion years (or is that only about 10 years? I am at the age of foggy memory :P)