Putting a command/script as a user's shell
Kirk Strauser
kirk at strauser.com
Mon Sep 11 07:58:17 PDT 2006
On Monday 11 September 2006 09:20, Karol Kwiatkowski wrote:
> Good day everyone,
>
> I'm trying to make it possible to restart (as in 'shutdown -r now') a
> FreeBSD based router from LAN network as easy as possible so it can be
> used by non-technical people.
First of all, it's easy enough to do this securely that you might as well do
it. Install sudo, and use "visudo" to create a sudoers file with entries
like:
User_Alias REBOOTERS = username1,username2,username3
REBOOTERS ALL = (root) NOPASSWD: /sbin/reboot
Next, create a reboot script for them:
# cat /usr/local/sbin/reboot.sh
sudo /sbin/reboot
Finally, use OpenSSH's built-in options to run the script at login. From
sshd(8):
AUTHORIZED_KEYS FILE FORMAT
[....]
command="command"
Specifies that the command is executed whenever this key is used
for authentication.
So, make each user's authorized_keys file look something like:
ssh-rsa [long base64 string] username1 at example.com
command="/usr/local/sbin/reboot.sh"
Alternatively, do all the above for one single account: your "restart" user.
Use authorized_keys to limit which of your real users has access to reboot
the machine, and use "ssh -l restart balkyrouter.example.com" to trigger it.
You could even go so far as to add a clause to /etc/ssh/ssh_config (or
~/.ssh/config for each individual user) like:
Host rebootrouter
Hostname balkyrouter.example.com
User restart
so that your users just run "ssh rebootrouter".
So, to recap, when a user logs in, the reboot.sh script will be executed. It
will use sudo to run the reboot command as root, without prompting the user
to enter any password. It's easy, it works, and it doesn't require any
setuid trickery or special accounts or anything else.
--
Kirk Strauser
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20060911/2d01b7ff/attachment.pgp
More information about the freebsd-questions
mailing list