Secure remote shell
redchin at gmail.com
Wed Nov 28 22:03:11 PST 2007
On Nov 28, 2007 9:40 PM, Steve Bertrand <iaccounts at ibctech.ca> wrote:
> > ssh using key authentication and sudo configured to allow a certain
> > user to run the needed commands and only the needed commands as root.
> > http://www.gratisoft.us/sudo/
> > http://sial.org/howto/openssh/publickey-auth/
> Yes but in the OP's context, providing this would mean that ANY command
> supplied via the web interface would be allowed whether SSH or sudo was
> used to perform the remote execution via the web server.
> IMHO, there needs to be a distinctive separation as the 'support'
> persons request comes via the browser. If it is an 'adduser' type
> request, all aspects (mail, radius etc) need to have their own
> input-type authentication/authorization check on the input.
> Although sudo and SSH are part of the solution, providing a web server
> with full rights on a remote server if they can gain keyless entry is a
> large mistake.
at no point does the original email say "we need to execute user
input". sudo does not equate to providing full rights. I suggest
reading the manpage. check yourself before you wreck yourself.
> Tunnel via SSH, and escalate via sudo is both a good idea. But I think
> in the OP's context, there needs to be some intensive checks and bounds
> in between that make it *harder* for him to achieve his goals than what
> it could be.
> I don't think anyone would want the following scenario:
> - you pass https://url.com?blah&blahetc to webserver
> - webserver, via password-less ssh executes via sudo a command on remote
> RADIUS/mail to introduce a new user, perhaps in wheel group
> - owned
The Mafia way is that we pursue larger goals under the guise of
More information about the freebsd-questions