From owner-freebsd-isp@FreeBSD.ORG Tue Jul 29 11:08:40 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 06B3137B401 for ; Tue, 29 Jul 2003 11:08:40 -0700 (PDT) Received: from skyweb.ca (smtp-2.vancouver.ipapp.com [216.152.192.208]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3ED6943FAF for ; Tue, 29 Jul 2003 11:08:39 -0700 (PDT) (envelope-from mjohnston@skyweb.ca) Received: from mjohnston ([209.5.243.50]) by smtp-2.vancouver.ipapp.com ; Tue, 29 Jul 2003 11:08:37 -0700 From: "Mark Johnston" To: , "'Dave [Hawk-Systems]'" Date: Tue, 29 Jul 2003 13:14:17 -0500 Message-ID: <007501c355fd$39ccdd40$be0fa8c0@MJOHNSTON> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: X-Country: CA Subject: Re: using SSH to execute commands on remote servers as differentuser X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2003 18:08:40 -0000 Dave [Hawk-Systems] wrote: > More correctly, I want to allow a script to run the ssh occasionally > as another user without placing an auth_key on the remote server which > would give that user access on that server outside of the confines > of the script(s) that we want to and outside of the limited time > constraints that we require it. What about checking the scripts and time constraints with OpenSSH's forced command function? You can set up a key like this: command="/home/user/check_perm" ssh-rsa AAAAetc... and within check_perm, you can verify the command to be run, do further access control or logging, etc. You can even have check_perm delete its entry from the authorized_keys file afterwards, for a one-time run. See ssh(1), section ENVIRONMENT, for more info on how to write the permission checking script. > on serverA(our master) we have sysadmin account. Occasionally that > account will need to connect to serverB or serverC as userA or userB > account. I do not want to put a userA or userB account on serverA. There's no need to have a corresponding account on serverA for the target account on serverB. ssh -l should work fine going from sysadmin@serverA to userB@serverB, even if you're using a key for authentication. You can use -i to specify an alternate identity file if you want to use a different key. > I want sysadmin to connect to serverB as userA > > Again, easy to do from shell; > ssh -l userA serverB command > > but how to pass the authentication portion from the script? Public key authentication is exactly what you want. Otherwise, you'll be trying to pass in the password from your script, which is neither fun nor a good idea. Mark