Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Ok, so I have the following happening on my RHEL/OL7 System:
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Fine, I get it, SSHD is blocking ssh access to any account (specifically Root) not over UID 1000.
I also get it that it's a BAD idea to allow direct login to root from off box as it allows brute force password attempts, I'm all there with this.
Here's the simple conundrum I want to solve without breaking the security and "bad ideaness" of the above:
I have a file in /root that needs to get to /root on another box. How does that happen?
scp -r root@<box>:~/<dir>/* .
Fails miserably due to the login block so how exactly, in today's security world, am I expected to get files moved from one root home directory to another?
Do I have to setup/tear down a public / private key every time I want to copy a file?
I'm sure there's a simple solution that I'm just overlooking.
It is possible to turn on root ssh access for only specific hosts using pam, so that two servers could ssh into each other as root but no other machines could: http://serverfault.com/questions/897...ne-ip-hostname
Alternatively, you could scp the file from root on machine 1 to your regular user account on machine 2, then change the ownership and move it to /root in a second step.
Last edited by suicidaleggroll; 03-07-2016 at 04:09 PM.
I was afraid this was the conversation we were going to get into.
I'm a sysadmin for a fortune 350, I maintain something along the lines of 500 servers at this point, of which about 150 of them are moved to OL7. At any point, any of these servers may need to move a root owned file from one box to another box.
Administration tasks and programs (like Ansible) seem to understand the SUDO methodology for administration...that's become the new norm, but not for file migration (there is no such thing as SCP SUDO).
Not that this is my specific use case, but lets talk about this theoretically for a few moments:
* Say I have a file with secure information in it that I need to keep secure. The file exists on a box with other users present.
* I need to move that file to another box, again, into another secured location.
* The current location the file resides is owned 700 by root. This is a secure location because the default permissions on the location are such that ONLY the root user has access to that location.
* The location I need to move the file to (again, a box with other users present) is also owned 700 by root.
SSH Handles the migration of the file "in transit" so that the information is not being passed in the clear.
However, I do not think, given the information in the original post, that there is a solution to this problem.
By removing access to log in as root, I am now REQUIRED to jump through hurdles by mocking up a non-root user on the box, setting locked permissions on a DIFFERENT location, copying the file to that new location, logging in to the new user from root on the second box and copying the file via SCP. I then need to tear down that infrastructure to not leave ANOTHER hole open on the system.
If that file needs to go to 500 boxes, what's my solution?
People MUCH smarter than me must have realized this is a rather large problem already...what easy method am I missing to solve this? There's got to be one.
I recently had the same error ssh'ing as root to a centos7 computer. Turned out I'd done some yum updates but never took care of the .rpmnew sshd_config file. I merged the active old /etc/sshd_config with the new sshd_config.rpmnew , restarted sshd and problem solved.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.