Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 28 Nov 2007 22:03:08 -0800
From:      "Kevin Downey" <redchin@gmail.com>
To:        "Steve Bertrand" <iaccounts@ibctech.ca>
Cc:        Olivier Nicole <on@cs.ait.ac.th>, freebsd-questions@freebsd.org
Subject:   Re: Secure remote shell
Message-ID:  <1d3ed48c0711282203r23e6d14cx5b97944ecda1de2a@mail.gmail.com>
In-Reply-To: <474E50BC.7060501@ibctech.ca>
References:  <200711290428.lAT4SOLd065598@banyan.cs.ait.ac.th> <1d3ed48c0711282112g389407ddyed367561910adfe4@mail.gmail.com> <474E50BC.7060501@ibctech.ca>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Nov 28, 2007 9:40 PM, Steve Bertrand <iaccounts@ibctech.ca> wrote:
> > ssh using key authentication and sudo configured to allow a certain
> > user to run the needed commands and only the needed commands as root.
> > http://www.gratisoft.us/sudo/
> > http://sial.org/howto/openssh/publickey-auth/
>
> Yes but in the OP's context, providing this would mean that ANY command
> supplied via the web interface would be allowed whether SSH or sudo was
> used to perform the remote execution via the web server.
>
> IMHO, there needs to be a distinctive separation as the 'support'
> persons request comes via the browser. If it is an 'adduser' type
> request, all aspects (mail, radius etc) need to have their own
> input-type authentication/authorization check on the input.
>
> Although sudo and SSH are part of the solution, providing a web server
> with full rights on a remote server if they can gain keyless entry is a
> large mistake.

Steve,
   at no point does the original email say "we need to execute user
input".  sudo does not equate to providing full rights. I suggest
reading the manpage. check yourself before you wreck yourself.


> Tunnel via SSH, and escalate via sudo is both a good idea. But I think
> in the OP's context, there needs to be some intensive checks and bounds
> in between that make it *harder* for him to achieve his goals than what
> it could be.
>
> I don't think anyone would want the following scenario:
>
> - you pass https://url.com?blah&blahetc to webserver
> - webserver, via password-less ssh executes via sudo a command on remote
> RADIUS/mail to introduce a new user, perhaps in wheel group
> - owned
>
> Steve
>



-- 
The Mafia way is that we pursue larger goals under the guise of
personal relationships.
    Fisheye

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1d3ed48c0711282203r23e6d14cx5b97944ecda1de2a>