Re: using SSH to execute commands on remote servers as differentuser

From: Mark Johnston (mjohnston_at_skyweb.ca)
Date: 07/29/03

  • Next message: Eric Brunner-Williams in Portland Maine: "Liability for co-lo tenants -- non-technical question" 
    To: <isp@freebsd.org>, "'Dave [Hawk-Systems]'" <dave@hawk-systems.com>
Date: Tue, 29 Jul 2003 13:14:17 -0500

    Dave [Hawk-Systems] wrote:
    > More correctly, I want to allow a script to run the ssh occasionally
    > as another user without placing an auth_key on the remote server which
    > would give that user access on that server outside of the confines
    > of the script(s) that we want to and outside of the limited time
    > constraints that we require it.

    What about checking the scripts and time constraints with OpenSSH's
    forced command function? You can set up a key like this:

    command="/home/user/check_perm" ssh-rsa AAAAetc...

    and within check_perm, you can verify the command to be run, do further
    access control or logging, etc. You can even have check_perm delete
    its entry from the authorized_keys file afterwards, for a one-time
    run. See ssh(1), section ENVIRONMENT, for more info on how to write the
    permission checking script.

    > on serverA(our master) we have sysadmin account. Occasionally that
    > account will need to connect to serverB or serverC as userA or userB
    > account. I do not want to put a userA or userB account on serverA.

    There's no need to have a corresponding account on serverA for
    the target account on serverB. ssh -l should work fine going from
    sysadmin@serverA to userB@serverB, even if you're using a key for
    authentication. You can use -i to specify an alternate identity file if
    you want to use a different key.

    > I want sysadmin to connect to serverB as userA
    >
    > Again, easy to do from shell;
    > ssh -l userA serverB command
    >
    > but how to pass the authentication portion from the script?

    Public key authentication is exactly what you want. Otherwise, you'll
    be trying to pass in the password from your script, which is neither fun
    nor a good idea.

    Mark

    _______________________________________________
    freebsd-isp@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-isp
    To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"

  • Next message: Eric Brunner-Williams in Portland Maine: "Liability for co-lo tenants -- non-technical question"

    Relevant Pages

    • Re: Entourage account setup applescript not working
      ... I pasted the script at the end just in case. ... When comparing the account settings on 2 computers, ... This script assists a user with the setup of his Exchange account ... Customize the network and server properties below with information ...
      (microsoft.public.mac.office.entourage)
    • Re: Same Internal Server Error from last two days
      ... I am trying to run a Hello World Perl Script in Apache 2.2. ... But its constantly giving me Internal Server Error.The script ... # have to place corresponding `LoadModule' lines at this location so the ...
      (perl.beginners)
    • Re: Chage script for Linux servers?
      ... I'm looking for a script that allows control of account expiration ... I have complete control over the server in question. ...
      (comp.lang.php)
    • Re: Mail::SendEasy defaulting to localhost?
      ... Trying to put together a simple script that sends out email via my SMTP ... You do have a SMTP server running locally by default. ... which logs into your ISP's Mailserver with authentication. ...
      (comp.lang.perl.misc)
    • Re: Same Internal Server Error from last two days
      ... I am trying to run a Hello World Perl Script in Apache 2.2. ... But its constantly giving me Internal Server Error.The script Runs perfectly fine from the command prompt. ... # This is the main Apache HTTP server configuration file. ... LoadModule actions_module modules/mod_actions.so ...
      (perl.beginners)