Date: Tue, 29 Jul 2003 13:14:17 -0500 From: "Mark Johnston" <mjohnston@skyweb.ca> To: <isp@freebsd.org>, "'Dave [Hawk-Systems]'" <dave@hawk-systems.com> Subject: Re: using SSH to execute commands on remote servers as differentuser Message-ID: <007501c355fd$39ccdd40$be0fa8c0@MJOHNSTON> In-Reply-To: <DBEIKNMKGOBGNDHAAKGNIEOFCNAC.dave@hawk-systems.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Dave [Hawk-Systems] wrote: > More correctly, I want to allow a script to run the ssh occasionally > as another user without placing an auth_key on the remote server which > would give that user access on that server outside of the confines > of the script(s) that we want to and outside of the limited time > constraints that we require it. What about checking the scripts and time constraints with OpenSSH's forced command function? You can set up a key like this: command="/home/user/check_perm" ssh-rsa AAAAetc... and within check_perm, you can verify the command to be run, do further access control or logging, etc. You can even have check_perm delete its entry from the authorized_keys file afterwards, for a one-time run. See ssh(1), section ENVIRONMENT, for more info on how to write the permission checking script. > on serverA(our master) we have sysadmin account. Occasionally that > account will need to connect to serverB or serverC as userA or userB > account. I do not want to put a userA or userB account on serverA. There's no need to have a corresponding account on serverA for the target account on serverB. ssh -l should work fine going from sysadmin@serverA to userB@serverB, even if you're using a key for authentication. You can use -i to specify an alternate identity file if you want to use a different key. > I want sysadmin to connect to serverB as userA > > Again, easy to do from shell; > ssh -l userA serverB command > > but how to pass the authentication portion from the script? Public key authentication is exactly what you want. Otherwise, you'll be trying to pass in the password from your script, which is neither fun nor a good idea. Mark
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?007501c355fd$39ccdd40$be0fa8c0>