From owner-freebsd-security  Thu Mar 28  0:46:26 2002
Delivered-To: freebsd-security@freebsd.org
Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240])
	by hub.freebsd.org (Postfix) with ESMTP id 2663237B41F
	for <freebsd-security@freebsd.org>; Thu, 28 Mar 2002 00:46:21 -0800 (PST)
Received: (qmail 57688 invoked by uid 1000); 28 Mar 2002 08:46:15 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 28 Mar 2002 08:46:15 -0000
Date: Thu, 28 Mar 2002 00:46:05 -0800 (PST)
From: Jason Stone <jason@shalott.net>
X-X-Sender:  <jason@walter>
To: Fernan Aguero <fernan@iib.unsam.edu.ar>
Cc: FreeBSD Security <freebsd-security@freebsd.org>
Subject: Re: using ssh to run remote commands?
In-Reply-To: <20020327152947.B443@iib.unsam.edu.ar>
Message-ID: <20020328003857.J5333-100000@walter>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> I'd like to know how to run remote commands using ssh. I know I can do
> it as myself, but I'd like to know how can I set up my systems to
> allow non-login users (root, operator, amanda) to run remote commands
> on other hosts.

You can't - ssh will always try to run a command by calling the user's
shell, so unless you patch it, you _must_ give the user a valid shell.

The best you can do is to give the user a valid shell but an invalid
password (eg, "*") and use ssh keys to authenticate.  For additional
security, you can specify a command along with the key in the
authorized_keys file so that the key can _only_ be used to run that
command (and not to get a shell).  man ssh, ssh-keygen.


 -Jason

 -----------------------------------------------------------------------
 I worry about my child and the Internet all the time, even though she's
 too young to have logged on yet.  Here's what I worry about.  I worry
 that 10 or 15 years from now, she will come to me and say "Daddy, where
 were you when they took freedom of the press away from the Internet?"
	-- Mike Godwin

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg

iD8DBQE8othXswXMWWtptckRAsYLAJ9Xkk7nHT5v96DxvTIiagd0elMvAACgn1qO
4TtJLt7YCkrAMmgWtskX7sk=
=jZLv
-----END PGP SIGNATURE-----


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message