Secure remote shell

Steve Bertrand iaccounts at
Wed Nov 28 21:40:11 PST 2007

> ssh using key authentication and sudo configured to allow a certain
> user to run the needed commands and only the needed commands as root.

Yes but in the OP's context, providing this would mean that ANY command
supplied via the web interface would be allowed whether SSH or sudo was
used to perform the remote execution via the web server.

IMHO, there needs to be a distinctive separation as the 'support'
persons request comes via the browser. If it is an 'adduser' type
request, all aspects (mail, radius etc) need to have their own
input-type authentication/authorization check on the input.

Although sudo and SSH are part of the solution, providing a web server
with full rights on a remote server if they can gain keyless entry is a
large mistake.

Tunnel via SSH, and escalate via sudo is both a good idea. But I think
in the OP's context, there needs to be some intensive checks and bounds
in between that make it *harder* for him to achieve his goals than what
it could be.

I don't think anyone would want the following scenario:

- you pass to webserver
- webserver, via password-less ssh executes via sudo a command on remote
RADIUS/mail to introduce a new user, perhaps in wheel group
- owned


More information about the freebsd-questions mailing list