I have five devices on my network that are running Leap 15.4. When it is time to do updates on them (usually weekly) I open 5 instances of Konsole and use ssh to connect to the other four and do zypper up on each one, at the same time. I realize this puts a strain on my internet connection but my ISP has no problem with this so neither do I. My usual policy is, as I said, to connect to each of the remote devices using ssh as a user account on each of the remote devices, then become root (su -) and then do zypper up.
My question (finally) is: Is there any security risk involved connecting as root? Or should I connect using a user account and becoming root as I have been doing? Connecting as root would certainly save myself a bunch of keystrokes but I am thinking of the command “Thou shalt never log in as root!”. Does that apply to this situation?
I have not done this for many years
But when I did
I went as a normal user, ssh to the remote machine
Once there you become su -
to apply the updates. You are in effect now a konsole in the remote machine.
Are you saying. You become root before you ssh the remote machine?
I never did that
I wouldn’t expect that would give you root control on the remote machine, surely you would need to become root there also.
Huh. When I wrote it, I understood it completely! rotfl!
Let me try again.
My usual procedure:
[FONT=monospace]bart@ASU-X99:~> ssh bart@server
Password:
Last login: Sat Oct 22 19:48:11 2022 from 10.118.10.5
Have a lot of fun...
bart@DEL-OSS:~> su -
Password:
**DEL-OSS:~ #** zypper up
[/FONT]
My proposed procedure:
bart@ASU-X99:~> ssh root@server
Password:
Last login: Sat Oct 22 19:49:25 2022 from 10.118.10.5
Have a lot of fun...
**DEL-OSS:~ #** zypper up
In other words, logging into the server as root instead of a user.
I’m wondering if there are any security implications if I did this.
By the way, you said you USED to do it this way. Is there a better way of doing this I should be using?
No keystrokes needed. ssh supports passwordless authentication. You may allow root login but turn off password authentication:
**6700K:~ #** cat /etc/ssh/sshd_config
PermitRootLogin yes
PasswordAuthentication no
**6700K:~ #**
With the above duping a remote host is easy:
**6700K:~ #** ssh erlangen zypper dup
Loading repository data...
Reading installed packages...
Warning: You are about to do a distribution upgrade with all enabled repositories. Make sure these repositories are compatible before you continue. See 'man zypper' for more information about this command.
Computing distribution upgrade...
Nothing to do.
**6700K:~ #**
My question (finally) is: Is there any security risk involved connecting as root? Or should I connect using a user account and becoming root as I have been doing? Connecting as root would certainly save myself a bunch of keystrokes but I am thinking of the command “Thou shalt never log in as root!”. Does that apply to this situation?
As Karl wrote, use keys, the ~/.ssh/ssh/config for short Names of the Servers.
Use as User:
ssh-keygen
without Passphrase to get an key for login without Password
ssh-copy-id
to copy it to the the Server
Now disable PasswordAuthentication in /etc/sshd/sshd_config on the Server.
grep -i passwordauth /etc/ssh/sshd_config
PasswordAuthentication no
You can use ~/.ssh/config for short names of your Server:
stephan@linux64:~> cat .ssh/config
Host raspi
Hostname 192.168.0.202
Port 22
User pi
stephan@linux64:~> ssh raspi
Please note that SSH may not work until a valid user has been set up.
See http://rptl.io/newuser for details.
Linux raspi 5.15.61+ #1579 Fri Aug 26 11:08:59 BST 2022 armv6l
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Sep 16 11:45:38 2022 from 192.168.0.2
pi@raspi:~ $
But my real question is: Is it less secure to ssh into a device as root than it is to ssh into a device as a user and then become root.
I know I can set up the config file to log in as either a user or root, depending on where I locate the public key on the server and the settings in the config file. But is there a security risk with using root?
Two different locks won’t be more secure than a single one if they are bypassed.
“If you really want to allow root logins, the following server configuration example shows how to configure the server to accept only public-key authentication (Section 23.6, “Public key authentication”) for the root user.”
I have not read all the advice above, thus there can be some very good things there, but this is what I do and would recommend. This is from my KDE session as henk. I first change to my system manager user mgi because that is the one I have on all the systems I manage (henk is for my personal work, banking, e-mail, browsing, the forums, …) and that is the one that is configured for the SSH connection.
henk@boven:~> su - mgi ; exit
Password:
mgi@boven:~> ssh beneden ; exit
Password:
Last login: Mon Sep 5 14:17:51 2022 from 10.0.0.154
Have a lot of fun...
mgi@beneden:~> su - ; exit
Password:
beneden:~ #
The exits are there to make stopping more spectacular , just one exit for root and the konsole window closes.
“Because SSH has been commonly used for over a decade with little oversight, organizations can have hundreds of thousands of valid SSH keys with no insight into where these SSH keys live, what trusts exist between key pairs or who has access to the keys. Without any control over these keys, it can be easy for an attacker to compromise an SSH key and use it to gain persistent access to critical systems – without raising any red flags. Worse, when organizations take proactive steps to control password-based access to privileged accounts on Unix and Linux systems, SSH key-based access can be used to bypass these privileged account management controls. As a result, organizations can be left with an increased risk of attack using SSH keys and little, if any, ability to detect a key compromise.”
I reiterate: No it’s not really harmful if you know how to manage a server properly.
Hi Bart
I’m assuming this is a internal network, all connected to a router running a firewall and no external ssh access? If so you should be fine, You could always just look at using wireguard and create point to point connections?
Use the likes of cockpit to manage (I use it for my MicroOS systems).
I have a similar situation. I ssh as root to each machine, no worries about that. Remember, you are NOT in the GUI, but in the CLI, where you are MUCH safer. Also, because you are within your internal network, and I would bet you are behind a router/router-modem, you have plenty of firewall with that router and with your Firewall running on each machine. SSH is secure, as I am sure you know, so anything in your internal network can’t do “man in the middle”.