From owner-freebsd-questions@FreeBSD.ORG Thu Nov 29 06:03:11 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0BFD716A41A for ; Thu, 29 Nov 2007 06:03:11 +0000 (UTC) (envelope-from redchin@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187]) by mx1.freebsd.org (Postfix) with ESMTP id A778813C459 for ; Thu, 29 Nov 2007 06:03:10 +0000 (UTC) (envelope-from redchin@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so1674209nfb for ; Wed, 28 Nov 2007 22:03:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=hlOnX5MggLplP3L+ETjGYwymGG8aZKSAbUTML4oRTQw=; b=SgmD00LS99gxDRmdqWeFiwnwolzhuqIAZTdxVBSuGbIf68O++ZCpR4Wa2xDBQeSlIgvqk6fvpTe5n/uBJbAfskiEp4ytq5OwILFTngI6z3aL+s594n8nTBNG9OpNnkzXBTDalzvrkSwON9YrcRlaN8t8oTDNUR58OA+SY5uRRjU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=oQpMSBUILT/sWxS3JPRbGEMH1x99dRp6Ve5/cCZEsrtbyPtZWlTnhJoIGwWvXvsfBHM1/jmExAzGez0HWTPD/HY4Ef9l0J3Toqwwp4Tnj52O/S3jk47AlNctVlOnfJ8j+DgHMjuQF6Z+GsHMgB64dAcB75MCeo2/v6SKbYBYzB0= Received: by 10.82.180.17 with SMTP id c17mr2896922buf.1196316188687; Wed, 28 Nov 2007 22:03:08 -0800 (PST) Received: by 10.82.160.5 with HTTP; Wed, 28 Nov 2007 22:03:08 -0800 (PST) Message-ID: <1d3ed48c0711282203r23e6d14cx5b97944ecda1de2a@mail.gmail.com> Date: Wed, 28 Nov 2007 22:03:08 -0800 From: "Kevin Downey" To: "Steve Bertrand" In-Reply-To: <474E50BC.7060501@ibctech.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200711290428.lAT4SOLd065598@banyan.cs.ait.ac.th> <1d3ed48c0711282112g389407ddyed367561910adfe4@mail.gmail.com> <474E50BC.7060501@ibctech.ca> Cc: Olivier Nicole , freebsd-questions@freebsd.org Subject: Re: Secure remote shell X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Nov 2007 06:03:11 -0000 On Nov 28, 2007 9:40 PM, Steve Bertrand wrote: > > ssh using key authentication and sudo configured to allow a certain > > user to run the needed commands and only the needed commands as root. > > http://www.gratisoft.us/sudo/ > > http://sial.org/howto/openssh/publickey-auth/ > > Yes but in the OP's context, providing this would mean that ANY command > supplied via the web interface would be allowed whether SSH or sudo was > used to perform the remote execution via the web server. > > IMHO, there needs to be a distinctive separation as the 'support' > persons request comes via the browser. If it is an 'adduser' type > request, all aspects (mail, radius etc) need to have their own > input-type authentication/authorization check on the input. > > Although sudo and SSH are part of the solution, providing a web server > with full rights on a remote server if they can gain keyless entry is a > large mistake. Steve, at no point does the original email say "we need to execute user input". sudo does not equate to providing full rights. I suggest reading the manpage. check yourself before you wreck yourself. > Tunnel via SSH, and escalate via sudo is both a good idea. But I think > in the OP's context, there needs to be some intensive checks and bounds > in between that make it *harder* for him to achieve his goals than what > it could be. > > I don't think anyone would want the following scenario: > > - you pass https://url.com?blah&blahetc to webserver > - webserver, via password-less ssh executes via sudo a command on remote > RADIUS/mail to introduce a new user, perhaps in wheel group > - owned > > Steve > -- The Mafia way is that we pursue larger goals under the guise of personal relationships. Fisheye