Files

1.7 KiB

Root SSH Exception for Admin Servers

Standard policy: PermitRootLogin no + AllowUsers ippadmin on all servers.

Exception granted for: app1, app2, app3 (netcup RS 4000 G12 admin/infrastructure servers).

Rationale: Automated provisioning and deployment by Sho'Nuff requires root-level access without sudo password workarounds. These servers run infrastructure services (AI stack, networking management, WordPress platform) that need frequent configuration changes.

Restrictions:

  • Root access is key-only — no password authentication
  • Only the itpp-infra SSH key is authorized
  • /root/.ssh/authorized_keys contains the same key as ippadmin's
  • AllowUsers ippadmin root — both users explicitly allowed
  • PasswordAuthentication no still enforced
  • PermitRootLogin prohibit-password (key only, no password)

Setup commands (from Core):

ssh -i /root/.ssh/itpp-infra ippadmin@<server>
# Deploy root's authorized_keys
sudo mkdir -p /root/.ssh
sudo cp /home/ippadmin/.ssh/authorized_keys /root/.ssh/
sudo chmod 700 /root/.ssh
sudo chmod 600 /root/.ssh/authorized_keys
# Update sshd_config
sudo sed -i 's/^PermitRootLogin no/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
sudo sed -i 's/^AllowUsers.*/AllowUsers ippadmin root/' /etc/ssh/sshd_config
sudo systemctl restart sshd

Verification:

ssh -i /root/.ssh/itpp-infra root@<server> "hostname"

Pitfall: If ippadmin was created with --disabled-password, su and sudo -S will fail because there's no password. This blocks automated provisioning via ippadmin. Solution: set up root SSH BEFORE closing the initial root session during provisioning, or use the netcup console.