Putting a command/script as a user's shell

Karol Kwiatkowski freebsd at orchid.homeunix.org
Tue Sep 12 04:45:52 PDT 2006 

On 11/09/2006 16:56, Kirk Strauser wrote:
> On Monday 11 September 2006 09:20, Karol Kwiatkowski wrote:
>> Good day everyone,
>>
>> I'm trying to make it possible to restart (as in 'shutdown -r now') a
>> FreeBSD based router from LAN network as easy as possible so it can be
>> used by non-technical people.
> 
> First of all, it's easy enough to do this securely that you might as well do 
> it.  Install sudo, and use "visudo" to create a sudoers file with entries 
> like:
> 
>    User_Alias    REBOOTERS = username1,username2,username3
>    REBOOTERS     ALL = (root) NOPASSWD: /sbin/reboot
> 
> Next, create a reboot script for them:
> 
>    # cat /usr/local/sbin/reboot.sh
>    sudo /sbin/reboot
> 
> Finally, use OpenSSH's built-in options to run the script at login.  From 
> sshd(8):
> 
> AUTHORIZED_KEYS FILE FORMAT
> 
>      [....]
> 
>      command="command"
>              Specifies that the command is executed whenever this key is used
>              for authentication.
> 
> So, make each user's authorized_keys file look something like:
> 
> ssh-rsa [long base64 string] username1 at example.com 
> command="/usr/local/sbin/reboot.sh"
> 
> Alternatively, do all the above for one single account: your "restart" user.  
> Use authorized_keys to limit which of your real users has access to reboot 
> the machine, and use "ssh -l restart balkyrouter.example.com" to trigger it.  
> You could even go so far as to add a clause to /etc/ssh/ssh_config (or 
> ~/.ssh/config for each individual user) like:
> 
> Host rebootrouter
>     Hostname balkyrouter.example.com
>     User restart
> 
> so that your users just run "ssh rebootrouter".
> 
> So, to recap, when a user logs in, the reboot.sh script will be executed.  It 
> will use sudo to run the reboot command as root, without prompting the user 
> to enter any password.  It's easy, it works, and it doesn't require any 
> setuid trickery or special accounts or anything else.

Hi Kirk,

I wasn't aware of 'command' option in authorized_keys file and that's
exactly what I need :)

The rest is more or less what I was thinking of with the exception I
tried to avoid installing sudo just to do this.

So here's what I ended up with:

- user 'restart' in group 'operator' (I need another user because
there are no 'normal' users on the router except me)
- public/private key par for authorization
- command="/sbin/shutdown -r now" in /home/restart/.ssh/authorized_keys

Works as expected even with windows/putty clients :)

Thanks for your reply.

Karol

-- 
Karol Kwiatkowski  <freebsd at orchid dot homeunix dot org>
OpenPGP: http://www.orchid.homeunix.org/carlos/gpg/0x06E09309.asc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20060912/ba4850d0/signature.pgp

More information about the freebsd-questions mailing list