0

I am configuring my first server at Linode using knife-solo. Everything is working fine but I've just added a step by which I am disabling root login for extra security. My understanding is that whenever I am adding new items to my configuration I should rerun chef to apply them instead of doing it manually but once I lock that is not possible.

Which of these (or of an alternative) approach would be better:

  1. I could unlock root access at the start of my script and lock it again at the end.
  2. I could lock it as step one and do all the installations of packages including the server (nginx in my case) as another user.
Dionysis
  • 103
  • 3

3 Answers3

0

Option 2 is the best choice. I'm not a chef expert, but surely it has the ability to run privileged commands using sudo.

EEAA
  • 108,414
  • 18
  • 172
  • 242
0

PermitRootLogin is an SSH setting and should not matter if you have another user on the system, which can run sudo chef-apply to accomplish the changes.

This prevents the need from modifying the state of the SSH settings on every run.

The Chef Client approach assumes that it can act as a root user, and would not need to run sudo prior to each command (aka package installation).

Mike Fiedler
  • 2,152
  • 1
  • 17
  • 33
  • yes indeed. That is what I am doing. I thought it inconsistent to run everything as root the first time I setup the server and from then on rerun as the user. My understanding of permissions is a bit flaky (I am reading on it!) so I am not sure if I am creating duplicated processes/package installations in this way or otherwise messing up permissions? – Dionysis Oct 16 '16 at 15:56
  • Running something as root and logging in via SSH as root are two entirely different things. Which one are you trying to prevent? Your question indicated SSH – Mike Fiedler Oct 16 '16 at 23:11
  • I was running everything as root but then I locked root access through SSH and I therefore have to (from now on) run chef as user. I was just wondering if that will have any negative consequences. – Dionysis Oct 17 '16 at 00:22
  • You can still run Chef as a user with `sudo` without needing to login as root via SSH. Running chef as a non-root user is likely to have unexpected results. – Mike Fiedler Oct 17 '16 at 21:58
0

An alternative you might consider is using public / private keypairs for SSH login rather than password.

Once this is established, you could use PermitRootLogin without-password within your SSH server configuration. This way, your root account is secure from password brute forcing, yet you can still use it with an RSA or ECDSA keypair.

Spooler
  • 7,016
  • 16
  • 29