SUMMARY: remote exec
ladislav.kostal at fem.uniag.sk
Tue Nov 27 11:28:04 EST 2001
Thanks to Stephen Harris, Nick Hindley, Julian Simpson, Michael Groisman, Ed
Rolison, Markus Wildemann, Eduardo Sanchez.
Recomended (and probably most secure) way is using public-key authorization
in ssh. I make it working this way:
I need to execute "mkdir /home/newuser" from server A as nobody (using web
page) on server B
1) enable shell (just for creating .ssh2 directory for the first time) and
real homedir for nobody on A
2) create private and public key: ssh-keygen2 -P (don't ask for password)
3) rename created id_dsa... to serverA
4) rename created id_dsa...pub to serverA.pub
5) create $HOME/.ssh2/identification with this line: idkey serverA
6) now you can disable shell for nobody, but keep home dir! (ssh needs it)
7) add user power_u on server B with shell /usr/bin/pfcsh
8) add this line to /etc/user_attr on server B:
9) add this line to /etc/security/exec_attr on server B: Power
10) create script /usr/local/bin/createuser, which will be run under uid 0,
when executed by power_u:
11) copy serverA.pub to /home/power_u/.ssh2/ on server B
12) add this line to /home/power_u/.ssh2/authorization on server B: key
13) create web page on server A, e.g.:
my $q = new CGI;
print $q->header, $q->start_html;
open (F,"/usr/local/ssh2/bin/ssh2 power_u\@serverB
/usr/local/bin/createuser") or print $!;
14) test it:) - now it should be directory /home/aaaaa on serverB
15) If you need to place keys elsewhere on server A, add option -i
/path/to/identification/file to ssh and add full path to idkey in this file
to serverA file
16) I've used another user (power_u), because he can run just one command as
root and I don't want to allow root to ssh.
If you have any comments to this (security, functional), please mail me.
How can I remotely exec some command as a root?
Example: I have 2 servers - A is administrative server, B is server for
I need to create account on server B from server A. I knww about using ssh
and public-key authorization for this, but is it secure enough or is there
I forgot to add, that I need to run command from web pages - e.g.
administrative scrips for creating users on other server. As the web server
runs as nobody user, how to use public-key authorization (no-passphrase)?
server A (nobody) -> server B (root)
e.g. index.pl (nobody) -> mkdir /home/user1 (root)
sunmanagers mailing list
sunmanagers at sunmanagers.org
More information about the summaries