Date: Tue, 12 Sep 2006 13:45:34 +0200 From: Karol Kwiatkowski <freebsd@orchid.homeunix.org> To: Kirk Strauser <kirk@strauser.com> Cc: freebsd-questions@freebsd.org Subject: Re: Putting a command/script as a user's shell Message-ID: <45069DDE.5090408@orchid.homeunix.org> In-Reply-To: <200609110956.51060.kirk@strauser.com> References: <450570AA.6050505@orchid.homeunix.org> <200609110956.51060.kirk@strauser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig5051DE274ADCC4BCE9F516C1 Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: quoted-printable On 11/09/2006 16:56, Kirk Strauser wrote: > On Monday 11 September 2006 09:20, Karol Kwiatkowski wrote: >> Good day everyone, >> >> I'm trying to make it possible to restart (as in 'shutdown -r now') a >> FreeBSD based router from LAN network as easy as possible so it can be= >> used by non-technical people. >=20 > First of all, it's easy enough to do this securely that you might as we= ll do=20 > it. Install sudo, and use "visudo" to create a sudoers file with entri= es=20 > like: >=20 > User_Alias REBOOTERS =3D username1,username2,username3 > REBOOTERS ALL =3D (root) NOPASSWD: /sbin/reboot >=20 > Next, create a reboot script for them: >=20 > # cat /usr/local/sbin/reboot.sh > sudo /sbin/reboot >=20 > Finally, use OpenSSH's built-in options to run the script at login. Fr= om=20 > sshd(8): >=20 > AUTHORIZED_KEYS FILE FORMAT >=20 > [....] >=20 > command=3D"command" > Specifies that the command is executed whenever this key i= s used > for authentication. >=20 > So, make each user's authorized_keys file look something like: >=20 > ssh-rsa [long base64 string] username1@example.com=20 > command=3D"/usr/local/sbin/reboot.sh" >=20 > Alternatively, do all the above for one single account: your "restart" = user. =20 > Use authorized_keys to limit which of your real users has access to reb= oot=20 > the machine, and use "ssh -l restart balkyrouter.example.com" to trigge= r it. =20 > You could even go so far as to add a clause to /etc/ssh/ssh_config (or = > ~/.ssh/config for each individual user) like: >=20 > Host rebootrouter > Hostname balkyrouter.example.com > User restart >=20 > so that your users just run "ssh rebootrouter". >=20 > So, to recap, when a user logs in, the reboot.sh script will be execute= d. It=20 > will use sudo to run the reboot command as root, without prompting the = user=20 > to enter any password. It's easy, it works, and it doesn't require any= =20 > setuid trickery or special accounts or anything else. Hi Kirk, I wasn't aware of 'command' option in authorized_keys file and that's exactly what I need :) The rest is more or less what I was thinking of with the exception I tried to avoid installing sudo just to do this. So here's what I ended up with: - user 'restart' in group 'operator' (I need another user because there are no 'normal' users on the router except me) - public/private key par for authorization - command=3D"/sbin/shutdown -r now" in /home/restart/.ssh/authorized_keys= Works as expected even with windows/putty clients :) Thanks for your reply. Karol --=20 Karol Kwiatkowski <freebsd at orchid dot homeunix dot org> OpenPGP: http://www.orchid.homeunix.org/carlos/gpg/0x06E09309.asc --------------enig5051DE274ADCC4BCE9F516C1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFBp3eezeoPAwGIYsRCNfSAJ9kYUnzZkHLiEGKf6ReODy0yV2H/QCeL24A OCbY3L9KOvS7V/ShiC5+M4o= =gda8 -----END PGP SIGNATURE----- --------------enig5051DE274ADCC4BCE9F516C1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45069DDE.5090408>