From owner-freebsd-isp@FreeBSD.ORG Tue Jul 29 09:42:03 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7660637B401 for ; Tue, 29 Jul 2003 09:42:03 -0700 (PDT) Received: from mail.2goons.net (2goons.net [216.27.161.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A30343F93 for ; Tue, 29 Jul 2003 09:41:58 -0700 (PDT) (envelope-from mwilliams@2goons.net) Received: (qmail 97875 invoked by uid 89); 29 Jul 2003 16:41:57 -0000 Received: from unknown (HELO admin.2goons.net) (mwilliams@216.27.161.249) by 2goons.net with SMTP; 29 Jul 2003 16:41:57 -0000 MIME-Version: 1.0 X-Mailer: V-webmail 1.5.0 ( http://www.v-webmail.co.uk/ ) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-ID: In-Reply-To: References: Date: Tue, 29 Jul 2003 12:41:57 -0400 From: "MFW" To: "Dave [Hawk-Systems]" , Subject: Re: using SSH to execute commands on remote servers as different user X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: mwilliams@2goons.net List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2003 16:42:03 -0000 Dave, I know this could pose as a security problem, but one of the things I do is "shared-keys". Once you share the key with the remote server (in this case your "sysadmin" account) that account will be able to log into the system without a password. Example: Server A ---shared key for sysadmin-->Server B,C,D,E,F User sysadmin on server A now has access to B,C,D,E,F without the password. How to do it.(On Server A as user sysadmin) ssh-keygen -t rsa -s 1024 -f ~/.ssh/identity (or just ssh-keygen) (.ssh/identity and .ssh/identity.pub will be created for you) cat .ssh/identity.pub | ssh sysadmin@ServerX 'cat >> .ssh/authorized_keys' You should be able to log into ServerX from ServerA as sysadmin. I jail my user and only give them access to the things I need. Again, this is not secure if someone breaks into your ServerA and logs into remote machines via sysadmin. So, make sure you take all of the necessary steps to locking down that sysadmin user before doing the above. I hope that helps. MFW "Dave [Hawk-Systems]" wrote: > To update, modify, and do other ISP type things to user accounts and files on > remote servers, we commonly use SSH to run commands remotely. To date, we > have > been running them as user sysadmin for example, where that same user account > exists on all the servers with the appropriate permissions to do only what it > requires, and the user@master_server added to authorized_keys for that user. > Much of this is through a seperate apache daemon running as that user on the > master_server. > > We find ourself in a position to need to access, on occasion, other user > accounts to occomplish similar tasks. from the command line this would be easy > ssh -l otheruser server command > but inputting the password for that user represents a challenge. We do not > want > to store that password in all the scripts, nor have them available to any > files > that the seperate web server views (regardless of the security precautions). > > In reading, I am thinking that the "-i identity_file" might contain the magic > bullet we are looking for. Finding some good examples on how to use that to > bypass the above problem though has to date been difficult. > > any comments/help on the above, or other alternatives if the -i flag is a dead > end? > > thanks > > Dave > > > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > _________________________________________________________ This mail sent using V-webmail - http://www.v-webmail.org