Putting a command/script as a user's shell
Karol Kwiatkowski
freebsd at orchid.homeunix.org
Tue Sep 12 04:45:52 PDT 2006
On 11/09/2006 16:56, Kirk Strauser wrote:
> On Monday 11 September 2006 09:20, Karol Kwiatkowski wrote:
>> Good day everyone,
>>
>> I'm trying to make it possible to restart (as in 'shutdown -r now') a
>> FreeBSD based router from LAN network as easy as possible so it can be
>> used by non-technical people.
>
> First of all, it's easy enough to do this securely that you might as well do
> it. Install sudo, and use "visudo" to create a sudoers file with entries
> like:
>
> User_Alias REBOOTERS = username1,username2,username3
> REBOOTERS ALL = (root) NOPASSWD: /sbin/reboot
>
> Next, create a reboot script for them:
>
> # cat /usr/local/sbin/reboot.sh
> sudo /sbin/reboot
>
> Finally, use OpenSSH's built-in options to run the script at login. From
> sshd(8):
>
> AUTHORIZED_KEYS FILE FORMAT
>
> [....]
>
> command="command"
> Specifies that the command is executed whenever this key is used
> for authentication.
>
> So, make each user's authorized_keys file look something like:
>
> ssh-rsa [long base64 string] username1 at example.com
> command="/usr/local/sbin/reboot.sh"
>
> Alternatively, do all the above for one single account: your "restart" user.
> Use authorized_keys to limit which of your real users has access to reboot
> the machine, and use "ssh -l restart balkyrouter.example.com" to trigger it.
> You could even go so far as to add a clause to /etc/ssh/ssh_config (or
> ~/.ssh/config for each individual user) like:
>
> Host rebootrouter
> Hostname balkyrouter.example.com
> User restart
>
> so that your users just run "ssh rebootrouter".
>
> So, to recap, when a user logs in, the reboot.sh script will be executed. It
> will use sudo to run the reboot command as root, without prompting the user
> to enter any password. It's easy, it works, and it doesn't require any
> setuid trickery or special accounts or anything else.
Hi Kirk,
I wasn't aware of 'command' option in authorized_keys file and that's
exactly what I need :)
The rest is more or less what I was thinking of with the exception I
tried to avoid installing sudo just to do this.
So here's what I ended up with:
- user 'restart' in group 'operator' (I need another user because
there are no 'normal' users on the router except me)
- public/private key par for authorization
- command="/sbin/shutdown -r now" in /home/restart/.ssh/authorized_keys
Works as expected even with windows/putty clients :)
Thanks for your reply.
Karol
--
Karol Kwiatkowski <freebsd at orchid dot homeunix dot org>
OpenPGP: http://www.orchid.homeunix.org/carlos/gpg/0x06E09309.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20060912/ba4850d0/signature.pgp
More information about the freebsd-questions
mailing list