Re: [tlug] Making my LAN a passwordless zone

[Doug McLean <dmclean635@example.com>]

On Fri, Jul 10, 2009 at 10:20 AM, Stephen J. Turnbull<stephen@example.com> wrote:
> Doug McLean writes:
>
>  > > then provide a means to escalate privileges to the system
>  > > account.
>
> Note, if the phrase "system account" scares you, it should.  This
> isn't the same as a system account in the sense of root, but it's
> still something that you have deliberately set loose in your system
> without direct supervision.

A restricted system account though, in the right circumstances is a
good way to delegate certain automated tasks though.  This is
contingent on good practices though such as use of a restricted shell,
good auditing, and minimalist privileges.  These of course are good
practices in general.  :)  Don't want to detract from this thread
though, so I'll leave it at that (maybe another thread perhaps?)

>  > Almost forget to suggest.  When you do setup your keys, scripts and so
>  > on, it's a good idea to use a minimalist ssh command to prevent abuse
>  > by other folks.
>  >
>  > Something like:
>  >
>  > ssh -2 -x (destination)
>
> More important than this is configuring your authorized_keys file.  If
> you have an extremely frequent use case such as starting a music
> player, you can do this in authorized_keys:

If performing a specific task only, setting up commands like that in
authorized_keys is a great idea, but if for some reason a person needs
more flexiblity or interactive setup, that might not be appropriate.
But folks can probably decide for themselves what's appropriate and
what isn't.  Great suggestion in any case.

> so don't copy that verbatim, or you'll find yourself listening to a
> ghastly mix of John Mellencamp and Pizzicato Five. ;-)
>
>  > Doug "Remembering to write below the quote ;)" McLean
>
> In this case, you could have just omitted the quote.

That was self-deprecating humor, in reference to an earlier mistake I
made in this same thread.

-- 
Doug McLean

Blog: http://nihonshukyo.wordpress.com/