From owner-freebsd-questions@FreeBSD.ORG Thu Nov 29 05:23:37 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 683A816A41A for ; Thu, 29 Nov 2007 05:23:37 +0000 (UTC) (envelope-from iaccounts@ibctech.ca) Received: from pearl.ibctech.ca (pearl.ibctech.ca [208.70.104.210]) by mx1.freebsd.org (Postfix) with ESMTP id 12BAA13C45B for ; Thu, 29 Nov 2007 05:23:36 +0000 (UTC) (envelope-from iaccounts@ibctech.ca) Received: (qmail 89796 invoked by uid 1002); 29 Nov 2007 05:23:36 -0000 Received: from iaccounts@ibctech.ca by pearl.ibctech.ca by uid 89 with qmail-scanner-1.22 (spamassassin: 2.64. Clear:RC:1(208.70.104.100):. Processed in 6.465834 secs); 29 Nov 2007 05:23:36 -0000 Received: from unknown (HELO ?192.168.30.110?) (steve@ibctech.ca@208.70.104.100) by pearl.ibctech.ca with (DHE-RSA-AES256-SHA encrypted) SMTP; 29 Nov 2007 05:23:29 -0000 Message-ID: <474E4CE1.6060809@ibctech.ca> Date: Thu, 29 Nov 2007 00:23:45 -0500 From: Steve Bertrand User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: Olivier Nicole References: <200711290428.lAT4SOLd065598@banyan.cs.ait.ac.th> In-Reply-To: <200711290428.lAT4SOLd065598@banyan.cs.ait.ac.th> X-Enigmail-Version: 0.95.5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Secure remote shell X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Nov 2007 05:23:37 -0000 > What other solution would you suggest to execute a shell remotely as > root, that could be automated in a script (no password required). - have information input into browser - have web server save information to server disk in non-executable format - have script (or admin) authenticate/authorize commands to be performed (recommend doing this manually for a while to ensure you capture as many escape type bugs as possible) - have commands via another script scrubbed/cleaned/tested - have cron perform commands at every X minutes Dirty, but it works. Just ensure that your input variables are very clean during the request, and their storage. All this said, I have an environment that may *semi* relate to what you are doing. It appears you are running your mail with sendmail on one box, RADIUS on another, and perhaps your web interface on yet another. Is this correct? Perhaps it's all on the same box... Can you state: - mail server software - RADIUS software - web interface (server) software ...assuming further, the web interface is custom right? How many users do you have? How many support people? Perhaps you could mail me off-list to discuss, as myself, and my support staff just went through this last year, and are just finishing up the details. Steve