Thanks to Stephen Harris, Nick Hindley, Julian Simpson, Michael Groisman, Ed Rolison, Markus Wildemann, Eduardo Sanchez. SOLUTION: Recomended (and probably most secure) way is using public-key authorization in ssh. I make it working this way: I need to execute "mkdir /home/newuser" from server A as nobody (using web page) on server B 1) enable shell (just for creating .ssh2 directory for the first time) and real homedir for nobody on A 2) create private and public key: ssh-keygen2 -P (don't ask for password) 3) rename created id_dsa... to serverA 4) rename created id_dsa...pub to serverA.pub 5) create $HOME/.ssh2/identification with this line: idkey serverA 6) now you can disable shell for nobody, but keep home dir! (ssh needs it) 7) add user power_u on server B with shell /usr/bin/pfcsh 8) add this line to /etc/user_attr on server B: power_u::::type=normal;profiles=Power User 9) add this line to /etc/security/exec_attr on server B: Power User:suser:cmd:::/usr/local/bin/createuser:uid=0 10) create script /usr/local/bin/createuser, which will be run under uid 0, when executed by power_u: #!/bin/sh mkdir /home/aaaaa 11) copy serverA.pub to /home/power_u/.ssh2/ on server B 12) add this line to /home/power_u/.ssh2/authorization on server B: key serverA.pub 13) create web page on server A, e.g.: #!/usr/bin/perl -w use strict; use CGI; my $q = new CGI; print $q->header, $q->start_html; open (F,"/usr/local/ssh2/bin/ssh2 power_u\@serverB /usr/local/bin/createuser") or print $!; close(F); print $q->end_html; 14) test it:) - now it should be directory /home/aaaaa on serverB 15) If you need to place keys elsewhere on server A, add option -i /path/to/identification/file to ssh and add full path to idkey in this file to serverA file 16) I've used another user (power_u), because he can run just one command as root and I don't want to allow root to ssh. That's all. If you have any comments to this (security, functional), please mail me. Ladislav Kostal ORIGINAL POSTING: How can I remotely exec some command as a root? Example: I have 2 servers - A is administrative server, B is server for users. I need to create account on server B from server A. I knww about using ssh and public-key authorization for this, but is it secure enough or is there something better? ADD: I forgot to add, that I need to run command from web pages - e.g. administrative scrips for creating users on other server. As the web server runs as nobody user, how to use public-key authorization (no-passphrase)? server A (nobody) -> server B (root) e.g. index.pl (nobody) -> mkdir /home/user1 (root)Received on Tue Nov 27 16:28:04 2001
This archive was generated by hypermail 2.1.8 : Wed Mar 23 2016 - 16:32:36 EDT