From owner-freebsd-security  Wed Mar 27 12:16:20 2002
Delivered-To: freebsd-security@freebsd.org
Received: from w2xo.pgh.pa.us (18.gibs5.xdsl.nauticom.net [209.195.184.19])
	by hub.freebsd.org (Postfix) with ESMTP id CEF6237B400
	for <freebsd-security@FreeBSD.ORG>; Wed, 27 Mar 2002 12:16:14 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
	by w2xo.pgh.pa.us (8.11.6/8.11.3) with ESMTP id g2RKG0P21916;
	Wed, 27 Mar 2002 20:16:01 GMT
	(envelope-from durham@w2xo.pgh.pa.us)
Date: Wed, 27 Mar 2002 20:16:00 +0000 (GMT)
From: Jim Durham <durham@w2xo.pgh.pa.us>
To: Fernan Aguero <fernan@iib.unsam.edu.ar>
Cc: FreeBSD Security <freebsd-security@FreeBSD.ORG>
Subject: Re: using ssh to run remote commands?
In-Reply-To: <20020327152947.B443@iib.unsam.edu.ar>
Message-ID: <Pine.BSF.4.21.0203272011290.21669-100000@w2xo.pgh.pa.us>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Wed, 27 Mar 2002, Fernan Aguero wrote:

> I'd like to know how to run remote commands using ssh.
> I know I can do it as myself, but I'd like to know how can I set up my
> systems to allow non-login users (root, operator, amanda) to run
> remote commands on other hosts.
> 
> Specifically, I want to now how can i run restore on the backup server
> (the one holding the tape drive) to recover full filesystems to a
> remote host.
> Obviously this should be done as either root or some other privileged
> user.
> 
> All examples point to rsh, and I'd like to know if this can be done
> securely using ssh.
> 

You can do this pretty easily with 'expect'. You will need to
have your private/public key set installed properly so you 
don't have to put a password in your script.

At that point, just have expect spawn ssh and connect to the
backup machine and execute the commands.

All these kinds of things are frought with danger. At least,
this way, the only thing that could really kill you is
someone getting your private key. Putting a password in your
script is even worse, though.

You might also investigate rsync over ssh for backups. You could
fire this off as a cron job from the backup.

-Jim



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message