Secure remote shell
Kevin Downey
redchin at gmail.com
Wed Nov 28 22:03:11 PST 2007
On Nov 28, 2007 9:40 PM, Steve Bertrand <iaccounts at ibctech.ca> wrote:
> > ssh using key authentication and sudo configured to allow a certain
> > user to run the needed commands and only the needed commands as root.
> > http://www.gratisoft.us/sudo/
> > http://sial.org/howto/openssh/publickey-auth/
>
> Yes but in the OP's context, providing this would mean that ANY command
> supplied via the web interface would be allowed whether SSH or sudo was
> used to perform the remote execution via the web server.
>
> IMHO, there needs to be a distinctive separation as the 'support'
> persons request comes via the browser. If it is an 'adduser' type
> request, all aspects (mail, radius etc) need to have their own
> input-type authentication/authorization check on the input.
>
> Although sudo and SSH are part of the solution, providing a web server
> with full rights on a remote server if they can gain keyless entry is a
> large mistake.
Steve,
at no point does the original email say "we need to execute user
input". sudo does not equate to providing full rights. I suggest
reading the manpage. check yourself before you wreck yourself.
> Tunnel via SSH, and escalate via sudo is both a good idea. But I think
> in the OP's context, there needs to be some intensive checks and bounds
> in between that make it *harder* for him to achieve his goals than what
> it could be.
>
> I don't think anyone would want the following scenario:
>
> - you pass https://url.com?blah&blahetc to webserver
> - webserver, via password-less ssh executes via sudo a command on remote
> RADIUS/mail to introduce a new user, perhaps in wheel group
> - owned
>
> Steve
>
--
The Mafia way is that we pursue larger goals under the guise of
personal relationships.
Fisheye
More information about the freebsd-questions
mailing list