Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 11 Sep 2006 09:56:42 -0500
From:      Kirk Strauser <kirk@strauser.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: Putting a command/script as a user's shell
Message-ID:  <200609110956.51060.kirk@strauser.com>
In-Reply-To: <450570AA.6050505@orchid.homeunix.org>
References:  <450570AA.6050505@orchid.homeunix.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
On Monday 11 September 2006 09:20, Karol Kwiatkowski wrote:
> Good day everyone,
>
> I'm trying to make it possible to restart (as in 'shutdown -r now') a
> FreeBSD based router from LAN network as easy as possible so it can be
> used by non-technical people.

First of all, it's easy enough to do this securely that you might as well do 
it.  Install sudo, and use "visudo" to create a sudoers file with entries 
like:

   User_Alias    REBOOTERS = username1,username2,username3
   REBOOTERS     ALL = (root) NOPASSWD: /sbin/reboot

Next, create a reboot script for them:

   # cat /usr/local/sbin/reboot.sh
   sudo /sbin/reboot

Finally, use OpenSSH's built-in options to run the script at login.  From 
sshd(8):

AUTHORIZED_KEYS FILE FORMAT

     [....]

     command="command"
             Specifies that the command is executed whenever this key is used
             for authentication.

So, make each user's authorized_keys file look something like:

ssh-rsa [long base64 string] username1@example.com 
command="/usr/local/sbin/reboot.sh"

Alternatively, do all the above for one single account: your "restart" user.  
Use authorized_keys to limit which of your real users has access to reboot 
the machine, and use "ssh -l restart balkyrouter.example.com" to trigger it.  
You could even go so far as to add a clause to /etc/ssh/ssh_config (or 
~/.ssh/config for each individual user) like:

Host rebootrouter
    Hostname balkyrouter.example.com
    User restart

so that your users just run "ssh rebootrouter".

So, to recap, when a user logs in, the reboot.sh script will be executed.  It 
will use sudo to run the reboot command as root, without prompting the user 
to enter any password.  It's easy, it works, and it doesn't require any 
setuid trickery or special accounts or anything else.
-- 
Kirk Strauser

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQBFBXky5sRg+Y0CpvERAgeaAKCKJ2L5EFaKXttXn2/h7jVeGPvSXQCgo6zS
SYyDW6/xLVWMe9EF5vT3gfI=
=ee7a
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200609110956.51060.kirk>