Secure remote editing of root-accessible files over SSH

As per security best practices one should not allow root login over SSH with password or keys. Instead, sudo should be used.

However, if one wants to use SSH (SFTP) for remote editing of server configuration files, like ones living in /etc (Apache, Cron, you name it), how this should be done?

Can root-accesible file remote editing over SFTP be compatible with the security best practices
How one should set file permissions, user groups and such that the security best practices are followed

Currently I use passphrase protected public key authentication to login as root, but I am not sure if there is something more secure I could do, so that root facing SSH logins could be disabled altogether.

The server is Ubuntu 12.04.

Mikko Ohtamaa

Posted 2013-04-11T08:46:34.937

Reputation: 1 790

So what is your client OS? Please be more specific in your question! – SPRBRN – 2013-04-11T09:49:36.573

I fail to see why direct key-based root login should be less secure than sudo. – jpc – 2013-06-25T07:59:03.503

Answers

If the remote editing is really wanted, one simple solution could be to keep a copy of /etc (or parts of it) on another local user and setup the system to copy changes from there to the real /etc. Even better would be to use a git -- or svn, or any other version control system of your choice -- and you would have additional log of changes, too.

It's also possible to setup chroot on SFTP and disable normal login for a specific account -- or limiting the login to that user only from specified IP addresses -- with the same feature of OpenSSH (Match Group etc). About that, check http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/

However please remember that most configuration files on /etc make it possible to get root access just by editing them. I've seen systems configured with svn/git to check the validation of configuration files before accepting changes of the files -- that could be used for accepting only secure configuration formats.

Anyway, there's a lot of different solutions for the problem. This was only one approach.

thejhh

Posted 2013-04-11T08:46:34.937

Reputation: 71

I don't see why it wouldn't be ok to sudo edit those files through SSH. I do it all the time, e.g.

sudo nano /etc/apache2/sites-available/default

If you want to use a GUI editor, you can use X tunnelling. You have to allow it in your ssh conf file and then use the -X option on your ssh command line.

ssh -X server.example.com

Then you can edit the file file a GUI editor:

sudo gedit /etc/apache2/sites-available/default

Mikkel

Posted 2013-04-11T08:46:34.937

Reputation: 111

This is remote editing as sense I was referring; You are running gedit on the server, not a local text editor which edits files over SSH/SFTP – Mikko Ohtamaa – 2013-04-11T13:01:10.623

See this SO answer for an example of how to do this via an SSH tunnel in Sublime Text.

user72923

Posted 2013-04-11T08:46:34.937

Reputation: 867