From owner-freebsd-questions@FreeBSD.ORG Tue Sep 12 11:45:52 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 466F416A417 for ; Tue, 12 Sep 2006 11:45:52 +0000 (UTC) (envelope-from freebsd@orchid.homeunix.org) Received: from orchid.homeunix.org (atz71.neoplus.adsl.tpnet.pl [83.27.7.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id EAF9143D7B for ; Tue, 12 Sep 2006 11:45:37 +0000 (GMT) (envelope-from freebsd@orchid.homeunix.org) Received: from [192.168.1.66] (blackacidevil.orchid.homeunix.org [192.168.1.66]) (authenticated bits=0) by orchid.homeunix.org (8.13.6/8.13.6) with ESMTP id k8CBjYdH051155 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 12 Sep 2006 13:45:36 +0200 (CEST) (envelope-from freebsd@orchid.homeunix.org) Message-ID: <45069DDE.5090408@orchid.homeunix.org> Date: Tue, 12 Sep 2006 13:45:34 +0200 From: Karol Kwiatkowski User-Agent: Thunderbird 1.5.0.5 (X11/20060731) MIME-Version: 1.0 To: Kirk Strauser References: <450570AA.6050505@orchid.homeunix.org> <200609110956.51060.kirk@strauser.com> In-Reply-To: <200609110956.51060.kirk@strauser.com> X-Enigmail-Version: 0.94.1.0 OpenPGP: id=06E09309; url=http://www.orchid.homeunix.org/carlos/gpg/0x06E09309.asc Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig5051DE274ADCC4BCE9F516C1" X-Virus-Scanned: ClamAV 0.88.4/1866/Tue Sep 12 13:29:19 2006 on orchid.homeunix.org X-Virus-Status: Clean Cc: freebsd-questions@freebsd.org Subject: Re: Putting a command/script as a user's shell X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd@orchid.homeunix.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Sep 2006 11:45:52 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig5051DE274ADCC4BCE9F516C1 Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: quoted-printable On 11/09/2006 16:56, Kirk Strauser wrote: > On Monday 11 September 2006 09:20, Karol Kwiatkowski wrote: >> Good day everyone, >> >> I'm trying to make it possible to restart (as in 'shutdown -r now') a >> FreeBSD based router from LAN network as easy as possible so it can be= >> used by non-technical people. >=20 > First of all, it's easy enough to do this securely that you might as we= ll do=20 > it. Install sudo, and use "visudo" to create a sudoers file with entri= es=20 > like: >=20 > User_Alias REBOOTERS =3D username1,username2,username3 > REBOOTERS ALL =3D (root) NOPASSWD: /sbin/reboot >=20 > Next, create a reboot script for them: >=20 > # cat /usr/local/sbin/reboot.sh > sudo /sbin/reboot >=20 > Finally, use OpenSSH's built-in options to run the script at login. Fr= om=20 > sshd(8): >=20 > AUTHORIZED_KEYS FILE FORMAT >=20 > [....] >=20 > command=3D"command" > Specifies that the command is executed whenever this key i= s used > for authentication. >=20 > So, make each user's authorized_keys file look something like: >=20 > ssh-rsa [long base64 string] username1@example.com=20 > command=3D"/usr/local/sbin/reboot.sh" >=20 > Alternatively, do all the above for one single account: your "restart" = user. =20 > Use authorized_keys to limit which of your real users has access to reb= oot=20 > the machine, and use "ssh -l restart balkyrouter.example.com" to trigge= r it. =20 > You could even go so far as to add a clause to /etc/ssh/ssh_config (or = > ~/.ssh/config for each individual user) like: >=20 > Host rebootrouter > Hostname balkyrouter.example.com > User restart >=20 > so that your users just run "ssh rebootrouter". >=20 > So, to recap, when a user logs in, the reboot.sh script will be execute= d. It=20 > will use sudo to run the reboot command as root, without prompting the = user=20 > to enter any password. It's easy, it works, and it doesn't require any= =20 > setuid trickery or special accounts or anything else. Hi Kirk, I wasn't aware of 'command' option in authorized_keys file and that's exactly what I need :) The rest is more or less what I was thinking of with the exception I tried to avoid installing sudo just to do this. So here's what I ended up with: - user 'restart' in group 'operator' (I need another user because there are no 'normal' users on the router except me) - public/private key par for authorization - command=3D"/sbin/shutdown -r now" in /home/restart/.ssh/authorized_keys= Works as expected even with windows/putty clients :) Thanks for your reply. Karol --=20 Karol Kwiatkowski OpenPGP: http://www.orchid.homeunix.org/carlos/gpg/0x06E09309.asc --------------enig5051DE274ADCC4BCE9F516C1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFBp3eezeoPAwGIYsRCNfSAJ9kYUnzZkHLiEGKf6ReODy0yV2H/QCeL24A OCbY3L9KOvS7V/ShiC5+M4o= =gda8 -----END PGP SIGNATURE----- --------------enig5051DE274ADCC4BCE9F516C1--