Date: Mon, 11 Sep 2006 09:56:42 -0500 From: Kirk Strauser <kirk@strauser.com> To: freebsd-questions@freebsd.org Subject: Re: Putting a command/script as a user's shell Message-ID: <200609110956.51060.kirk@strauser.com> In-Reply-To: <450570AA.6050505@orchid.homeunix.org> References: <450570AA.6050505@orchid.homeunix.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart6429757.WcAX7cHnOU
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Monday 11 September 2006 09:20, Karol Kwiatkowski wrote:
> Good day everyone,
>
> I'm trying to make it possible to restart (as in 'shutdown -r now') a
> FreeBSD based router from LAN network as easy as possible so it can be
> used by non-technical people.
=46irst of all, it's easy enough to do this securely that you might as well=
do=20
it. Install sudo, and use "visudo" to create a sudoers file with entries=20
like:
User_Alias REBOOTERS =3D username1,username2,username3
REBOOTERS ALL =3D (root) NOPASSWD: /sbin/reboot
Next, create a reboot script for them:
# cat /usr/local/sbin/reboot.sh
sudo /sbin/reboot
=46inally, use OpenSSH's built-in options to run the script at login. From=
=20
sshd(8):
AUTHORIZED_KEYS FILE FORMAT
[....]
command=3D"command"
Specifies that the command is executed whenever this key is us=
ed
for authentication.
So, make each user's authorized_keys file look something like:
ssh-rsa [long base64 string] username1@example.com=20
command=3D"/usr/local/sbin/reboot.sh"
Alternatively, do all the above for one single account: your "restart" user=
=2E =20
Use authorized_keys to limit which of your real users has access to reboot=
=20
the machine, and use "ssh -l restart balkyrouter.example.com" to trigger it=
=2E =20
You could even go so far as to add a clause to /etc/ssh/ssh_config (or=20
~/.ssh/config for each individual user) like:
Host rebootrouter
Hostname balkyrouter.example.com
User restart
so that your users just run "ssh rebootrouter".
So, to recap, when a user logs in, the reboot.sh script will be executed. =
It=20
will use sudo to run the reboot command as root, without prompting the user=
=20
to enter any password. It's easy, it works, and it doesn't require any=20
setuid trickery or special accounts or anything else.
=2D-=20
Kirk Strauser
--nextPart6429757.WcAX7cHnOU
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)
iD8DBQBFBXky5sRg+Y0CpvERAgeaAKCKJ2L5EFaKXttXn2/h7jVeGPvSXQCgo6zS
SYyDW6/xLVWMe9EF5vT3gfI=
=ee7a
-----END PGP SIGNATURE-----
--nextPart6429757.WcAX7cHnOU--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200609110956.51060.kirk>