Okay technical readers, I need some help here. Today I decided to clean up my .ssh folder and regenerate ssh keys for each of my machines. I’m going to use ssh-agent to keep them safe, and use passwordless login to all of the servers I access. I’ve also discovered that I can setup a .ssh/config file that lets me set different usernames per host (useful!) and give hosts aliases. So that’s all good.
Here’s my issue, and I’ll try not to compramise the super-secret Berkman security while talking about this ;). Most of the times I’m logging into these machines I need to do things as root. For obvious reasons root ssh is disabled, so I can’t do the easy thing and setup a keypair for the root account. This means when I login I have to use either sudo to do root comands (my preference) or su to root (my boss’s preference). I like sudo because it keeps my session variables, my boss doesn’t like it for precisely that reason, and is concerned that it is an easy vector for privilege escalation. I sort of get that. I also am really bad with passwords, and don’t really want to remember which password I’m using on which machine in order to sudo or su.
The ideal method for me would be a way to sudo and have it look at my local ssh-agent for credentials. Then I’d get rid of the password problem but would still have to worry about my session stuff…maybe it could read my local dot files instead of those on the server? I dunno.
Anyway, I’m sure people have thought about this and done things about this, and I really doubt my proposal makes much sense, so does anyone have any suggestions for, basically, secure, password-less root login which maintains my settings? Or other useful ways for multiple people to share a root account while maintaining their own preferences?