[lug] Looking for best way to avoid scripting password

David L. Anselmi anselmi at anselmi.us
Sat Apr 4 10:55:49 MDT 2009

Chip Atkinson wrote:
> On the remote host, I start an sshd with a different sshd_config that
> allows root logins.  This sshd listens on a different port that is not
> open on the firewall.
> The only problem is that I need to sudo /usr/sbin/sshd.

Could you have root run that at boot (via an /etc/init.d script) and 
just leave it up?

Is it really useful to do something that convoluted in the first place?

If you don't use a password you need a key to ssh in and then root's 
key, right?  Vs. if you let root log in in the first place you only need 
root's key.  Both (private) keys are on the same system so a compromise 
there is bad whether there are one key or two.

It seems like this is just a bit of indirection, so security through 
obscurity.  Or maybe I'm not comprehending yet.

I'll have to think about it some more.  What risk is the second sshd 
intended to mitigate?  Does it?  Is that risk real?  Is there something 
(port knocking pops into my head) that mitigates an actual, rather than 
perceived, risk?

Sorry, I'm in a bad place to think at the moment.


More information about the LUG mailing list