Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 29 Jul 2003 13:24:47 -0400
From:      "Dave [Hawk-Systems]" <dave@hawk-systems.com>
To:        <freebsd-isp@freebsd.org>
Cc:        mwilliams@2goons.net
Subject:   RE: using SSH to execute commands on remote servers as different user
Message-ID:  <DBEIKNMKGOBGNDHAAKGNIEOFCNAC.dave@hawk-systems.com>
In-Reply-To: <hisp1x.6lyf9q@admin.2goons.net>

next in thread | previous in thread | raw e-mail | index | archive | help
>I know this could pose as a security problem, but one of the things I do is
>"shared-keys". Once you share the key with the remote server (in this case
>your "sysadmin" account) that account will be able to log into the system
>without a password.
>
>Example:
>
>Server A ---shared key for sysadmin-->Server B,C,D,E,F
>
>User sysadmin on server A now has access to B,C,D,E,F without the password.
>
>How to do it.(On Server A as user sysadmin)
>
>ssh-keygen -t rsa -s 1024 -f ~/.ssh/identity (or just ssh-keygen)
>(.ssh/identity and .ssh/identity.pub will be created for you)
>
>cat .ssh/identity.pub | ssh sysadmin@ServerX 'cat >> .ssh/authorized_keys'
>
>You should be able to log into ServerX from ServerA as sysadmin.
>
>I jail my user and only give them access to the things I need. Again, this is
>not secure if someone breaks into your ServerA and logs into remote machines
>via sysadmin. So, make sure you take all of the necessary steps to locking
>down that sysadmin user before doing the above.

This is what we currently do for the sysadmin account.  I however do not want to
do this for other occasional accesses I need to establish to those boxes.  More
correctly, I want to allow a script to run the ssh occasionally as another user
without placing an auth_key on the remote server which would give that user
access on that server outside of the confines of the script(s) that we want to
and outside of the limited time constraints that we require it.

on serverA(our master) we have sysadmin account.  Occasionally that account will
need to connect to serverB or serverC as userA or userB account.  I do not want
to put a userA or userB account on serverA.

I want sysadmin to connect to serverB as userA

Again, easy to do from shell;
	ssh -l userA serverB command

but how to pass the authentication portion from the script?

thanks

Dave





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DBEIKNMKGOBGNDHAAKGNIEOFCNAC.dave>