From owner-freebsd-isp@FreeBSD.ORG  Tue Jul 29 09:20:09 2003
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C7D9837B401
	for <freebsd-isp@freebsd.org>; Tue, 29 Jul 2003 09:20:09 -0700 (PDT)
Received: from web1.nexusinternetsolutions.net
	(web1.nexusinternetsolutions.net [206.47.131.12])
	by mx1.FreeBSD.org (Postfix) with SMTP id CB97143FBD
	for <freebsd-isp@freebsd.org>; Tue, 29 Jul 2003 09:20:08 -0700 (PDT)
	(envelope-from dave@hawk-systems.com)
Received: (qmail 83008 invoked from network); 29 Jul 2003 16:20:05 -0000
Received: from unknown (HELO ws1) (65.49.236.97)
  by web1.nexusinternetsolutions.net with SMTP; 29 Jul 2003 16:20:05 -0000
From: "Dave [Hawk-Systems]" <dave@hawk-systems.com>
To: <freebsd-isp@freebsd.org>
Date: Tue, 29 Jul 2003 12:20:03 -0400
Message-ID: <DBEIKNMKGOBGNDHAAKGNEENICNAC.dave@hawk-systems.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Importance: Normal
Subject: using SSH to execute commands on remote servers as different user
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jul 2003 16:20:10 -0000

To update, modify, and do other ISP type things to user accounts and files on
remote servers, we commonly use SSH to run commands remotely.  To date, we have
been running them as user sysadmin for example, where that same user account
exists on all the servers with the appropriate permissions to do only what it
requires, and the user@master_server added to authorized_keys for that user.
Much of this is through a seperate apache daemon running as that user on the
master_server.

We find ourself in a position to need to access, on occasion, other user
accounts to occomplish similar tasks. from the command line this would be easy
	ssh -l otheruser server command
but inputting the password for that user represents a challenge.  We do not want
to store that password in all the scripts, nor have them available to any files
that the seperate web server views (regardless of the security precautions).

In reading, I am thinking that the "-i identity_file" might contain the magic
bullet we are looking for.  Finding some good examples on how to use that to
bypass the above problem though has to date been difficult.

any comments/help on the above, or other alternatives if the -i flag is a dead
end?

thanks

Dave