Date: Thu, 29 Nov 2007 00:40:12 -0500 From: Steve Bertrand <iaccounts@ibctech.ca> To: Kevin Downey <redchin@gmail.com> Cc: Olivier Nicole <on@cs.ait.ac.th>, freebsd-questions@freebsd.org Subject: Re: Secure remote shell Message-ID: <474E50BC.7060501@ibctech.ca> In-Reply-To: <1d3ed48c0711282112g389407ddyed367561910adfe4@mail.gmail.com> References: <200711290428.lAT4SOLd065598@banyan.cs.ait.ac.th> <1d3ed48c0711282112g389407ddyed367561910adfe4@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> ssh using key authentication and sudo configured to allow a certain > user to run the needed commands and only the needed commands as root. > http://www.gratisoft.us/sudo/ > http://sial.org/howto/openssh/publickey-auth/ Yes but in the OP's context, providing this would mean that ANY command supplied via the web interface would be allowed whether SSH or sudo was used to perform the remote execution via the web server. IMHO, there needs to be a distinctive separation as the 'support' persons request comes via the browser. If it is an 'adduser' type request, all aspects (mail, radius etc) need to have their own input-type authentication/authorization check on the input. Although sudo and SSH are part of the solution, providing a web server with full rights on a remote server if they can gain keyless entry is a large mistake. Tunnel via SSH, and escalate via sudo is both a good idea. But I think in the OP's context, there needs to be some intensive checks and bounds in between that make it *harder* for him to achieve his goals than what it could be. I don't think anyone would want the following scenario: - you pass https://url.com?blah&blahetc to webserver - webserver, via password-less ssh executes via sudo a command on remote RADIUS/mail to introduce a new user, perhaps in wheel group - owned Steve
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?474E50BC.7060501>