As per security best practices one should not allow root login over SSH with password or keys. Instead, sudo should be used.
However, if one wants to use SSH (SFTP) for remote editing of server configuration files, like ones living in /etc (Apache, Cron, you name it), how this should be done?
-
Can root-accesible file remote editing over SFTP be compatible with the security best practices
-
How one should set file permissions, user groups and such that the security best practices are followed
Currently I use passphrase protected public key authentication to login as root, but I am not sure if there is something more secure I could do, so that root facing SSH logins could be disabled altogether.
The server is Ubuntu 12.04.
Best Answer
If the remote editing is really wanted, one simple solution could be to keep a copy of /etc (or parts of it) on another local user and setup the system to copy changes from there to the real /etc. Even better would be to use a git -- or svn, or any other version control system of your choice -- and you would have additional log of changes, too.
It's also possible to setup chroot on SFTP and disable normal login for a specific account -- or limiting the login to that user only from specified IP addresses -- with the same feature of OpenSSH (Match Group etc). About that, check http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/
However please remember that most configuration files on /etc make it possible to get root access just by editing them. I've seen systems configured with svn/git to check the validation of configuration files before accepting changes of the files -- that could be used for accepting only secure configuration formats.
Anyway, there's a lot of different solutions for the problem. This was only one approach.