From eb7497fd41f0b6d2f97e67f4e0a05fd7bb2b9350 Mon Sep 17 00:00:00 2001 From: http://joeyh.name/ Date: Mon, 21 Apr 2014 13:31:13 +0000 Subject: Added a comment --- .../comment_1_3bc008e42587a3313f81ee740d7d80f0._comment | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 doc/todo/ssh__95__user_+_sudo/comment_1_3bc008e42587a3313f81ee740d7d80f0._comment diff --git a/doc/todo/ssh__95__user_+_sudo/comment_1_3bc008e42587a3313f81ee740d7d80f0._comment b/doc/todo/ssh__95__user_+_sudo/comment_1_3bc008e42587a3313f81ee740d7d80f0._comment new file mode 100644 index 00000000..e0dc1d7f --- /dev/null +++ b/doc/todo/ssh__95__user_+_sudo/comment_1_3bc008e42587a3313f81ee740d7d80f0._comment @@ -0,0 +1,10 @@ +[[!comment format=mdwn + username="http://joeyh.name/" + ip="209.250.56.214" + subject="comment 1" + date="2014-04-21T13:31:13Z" + content=""" +Running propellor that way would probably need ssh to allocate a tty in order for sudo's password prompt to work. And it adds complexity. Does it add security? I don't think so, PermitRootLogin=without-password or PasswordAuthentication=no is not going to let anyone brute force the root account. + +PermitRootLogin=forced-commands-only might be worth making easy to set up, so the only command that can be run with some special propellor-specific ssh key is propellor. +"""]] -- cgit v1.2.3