How to add root to the ssh users
I was running 10.3.9 server. I moved to 10.5 server (now 10.5.2) and I was having trouble to get the following setup to work, or to find out what was keeping it from working (tried debugging, but that did not bring me any further).
The setup is as follows: a normal user can run a command to sync /usr/local hierarchies via sudo. The way this is set up:
- enable root on the server
- change sshd_config so root can do forced-commands only
- have a ~root/.ssh/authorized_keys file with contents like
command="rsync --server --daemon .",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-dss [key removed] client@clientsystem
- setup /etc/rsyncd.conf with
[localstuff]
path = /usr/local
comment = whole /usr/local tree
hosts allow = [ip addresses of local hosts that may do this]
hosts deny = *
uid = root
gid = staff
read only = no
Thn, on the client, the client runs (to sync /usr/local/src to the server):
sudo /usr/bin/rsync --rsync-path=/usr/bin/rsync -E --progress -avu --dry-run \
-e "ssh -v -v -i /Users/client/.ssh/rsync-private-key -l root" \
""/usr/local/src/ \
server::localstuff/src/
After the first sudo, however, I get three requests for Password after which the command fails. This used to work. The three failed attempts do not give a lot of information about what is causing this.
While writing this I thought of the solution, however. I also have limited ssh access to my server (in System Preferences) to a few users and hence root could not ssh into my server at all (ssh and rsync are not really helpful with their error messages).
I solved making root ssh-able by adding group com.apple.access_ssh to user System Administrator in Workgroup Manager: Local, so now root can ssh into my server (of course only using the private key and then only running into the forced-command of my rsync server).
So, I thought I post this for some others who might run into the same thing: "how to add root to the ssh users".
Still, enabling root and opening up ssh and enabling root ssh-usage must be about one of the most dangerous things to do, security wise. However, I do need root-owned stuff in /usr/local (e.g. Package Maker maintained stuff or stuff I want protected against normal users) so I need root to be able to sync this. I think there is no more secure way to do this, but maybe I missed options? Note: it should also work when one system is off line (e.g. laptop), hence using mounts is out of the question. "Mobile /usr/local Sync" would be nice 😉
The setup is as follows: a normal user can run a command to sync /usr/local hierarchies via sudo. The way this is set up:
- enable root on the server
- change sshd_config so root can do forced-commands only
- have a ~root/.ssh/authorized_keys file with contents like
command="rsync --server --daemon .",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-dss [key removed] client@clientsystem
- setup /etc/rsyncd.conf with
[localstuff]
path = /usr/local
comment = whole /usr/local tree
hosts allow = [ip addresses of local hosts that may do this]
hosts deny = *
uid = root
gid = staff
read only = no
Thn, on the client, the client runs (to sync /usr/local/src to the server):
sudo /usr/bin/rsync --rsync-path=/usr/bin/rsync -E --progress -avu --dry-run \
-e "ssh -v -v -i /Users/client/.ssh/rsync-private-key -l root" \
""/usr/local/src/ \
server::localstuff/src/
After the first sudo, however, I get three requests for Password after which the command fails. This used to work. The three failed attempts do not give a lot of information about what is causing this.
While writing this I thought of the solution, however. I also have limited ssh access to my server (in System Preferences) to a few users and hence root could not ssh into my server at all (ssh and rsync are not really helpful with their error messages).
I solved making root ssh-able by adding group com.apple.access_ssh to user System Administrator in Workgroup Manager: Local, so now root can ssh into my server (of course only using the private key and then only running into the forced-command of my rsync server).
So, I thought I post this for some others who might run into the same thing: "how to add root to the ssh users".
Still, enabling root and opening up ssh and enabling root ssh-usage must be about one of the most dangerous things to do, security wise. However, I do need root-owned stuff in /usr/local (e.g. Package Maker maintained stuff or stuff I want protected against normal users) so I need root to be able to sync this. I think there is no more secure way to do this, but maybe I missed options? Note: it should also work when one system is off line (e.g. laptop), hence using mounts is out of the question. "Mobile /usr/local Sync" would be nice 😉
500Mhz G4 Cube w Radeon 9000, 120GB Seagate, 1.2GHz G4 iBook, DTK
