Disabling ssh as root on Linux boxes and the challenges of writing scripts

ssh security linux scripting sudo

It's a common suggestion from security-minded people to disable ssh as root on Linux boxes. My question is this:

Let's say you normally write lots of scripts which ssh to a large number of Linux boxes and perform various root-level tasks. If you disable ssh as root, how do you go about your daily maintenance that requires root privileges?

Of course, sudo is an option, but then you have to type your password each time you run a command. what if your scripts perform a variety of tasks? What if you have to run that script against a large number of hosts?

Of course, you could set the NOPASSWD parameter, but isn't that a security risk?

Just musing here. Want to get the community's feedback. I'm looking for a relatively secure way to ssh to Linux boxes and perform root-level tasks.


There are many things you can do. This is a partial list:

  • If the script really must run periodically, put it in crontab, and stop running it manually.

  • Use a system such as MCollective (related to, but not quite exactly part of puppet) to run commands remotely on large numbers of machines at once.

  • Use ssh keys to permit root logins from specific users. This carries an audit risk, in that the person who logged in may not be logged, so it's really only appropriate for very small installations.

  • In /etc/sudoers specify only the specific scripts that can be run without a password; anything else would require a password.


If you regularly "write script to run tasks as root over ssh", you should seriously consider setting up Puppet/Chef/CFEngine/Ansible/Salt/Rundeck .


You don't have to type the password each and every time: If you run sudo within relatively short time you don't have to type it. If there are longer tasks needed one can run sudo -s to get a root shell.

A benefit of using sudo for this over direct ssh as root is that a) you don't have to share a root password over multiple people b) can read logs to figure out who sudo'ed. This might not be necessary as long as you are alone, but that might change.


If there are a few specific commands that you need to execute, you can set up sudo (via the /etc/sudoers file) to allow a particular list of users (and/or groups) to execute those commands without a password.

Related

Dell 1950: How to tell what generation it is?
su gives permission denied
How to determine if TRUE occurs before FALSE in two columns
length of a property in JavaScript object [duplicate]
Django: SocialApp matching query does not exist
Not able to get Azure Key-Vault working in app when deployed to Azure
One BLoC per feature or per use case?
How to resolve the error: ITEM expected input to be a number but got the string "12" instead in NetLogo?
NodeJS get data from PHP API [duplicate]
React: Updating the UI elements
How to redirect any website by clicking an image in html where framework is Django?
Module not found: javafx.web