How to restart dhcpd on another server using SSH?

Hi:

I want to write a script in which we will restart dhcpd on another machine, the command is like this:

ssh user@server /etc/init.d/dhcpd restart

but i have a user right problem coz /etc/init.d/dhcpd restart can only be executed by root.
Who knows how to solve this problem?

Thanks!

Henry

Add the user to /etc/sudoers on the target machine with the
explicit right to run that command.

But what brings up the need to restart the daemon?


Cheers,
Tink

This is a kind of insecure way of doing things. To get sudo to work (if you are trying to script this) you would need to have sudo set up to allow password-less execution of the command. Alternatively, you would have to write a script with setuid - which basically means whatever user executes the script it runs as the owner of the file (which in this case would be root).

In either case, you've got a glaring security hole, but depends on your network setup. Definitely wouldn't recommend restarting a service from a remote machine over an insecure network (such as the internet) even using ssh, as it still means you need to use one of the methods above, which aren't recommended, or allow root logins, which again is not recommended...

Webmin will allow you to restart services via a web browser. Again, not the most secure solution in the world, but maybe worth a look...

Frankly, I can't see a difference between an arbitrary user
logging in via ssh and logging into webmin (of course webmin
doesn't use SSL by default, so is even less secure).

The fact that *a* user can do something password-less via
ssh login & sudoers is no more insecure than someone
gaining access to the webmin account, on the contrary.
He will have EXACTLY that one capability, namely re-
starting the dhcp-daemon.

But again, I just answered his question, as soon as he
explains the reason for this need he'll more likely be
getting more suitable solutions.


Cheers,
Tink

Hi,
this might suit you better.

Generate a new key for user@yourhost using ssh-keygen -t dsa
save it when prompted as dhcpd-key, and use no passphrase.

Add it to /root/.ssh/authorized_keys on server in the following form:

command="/etc/init.d/dhcpd restart" ssh-dss =======ENCRYPTED=KEY=.pub=CONTENTS========== user@yourhost

In this way, your new key will allow you run this command, and no other, as root on the server.

ssh -i dhcpd-key root@server

Hope that suits your situation,
NiallB

Hi
First create a public/private key so that your user can logging via SSH without password.
Then on the remote machine create a script, restartdhcp.sh, that you call (ssh user@host restartdhcp.sh).
Let the script (restartdhcp.sh) take care of being root and performing your task.

/Fredrik

Thanks for all of ur answers.

Now I created a script in target server like this:

/etc/init.d/dhcpd restart

and tried to run it from another server like this:

ssh sysauto@target_server scriptname

But FAILED with following messages:
Shutting down dhcpd: ./dhcpd: line 196: kill: (927) - Operation not permitted
./dhcpd: line 201: kill: (927) - Operation not permitted
rm: cannot remove `/var/run/dhcpd.pid': Permission denied

Starting dhcpd:
touch: cannot touch `/var/lock/subsys/dhcpd': Permission denied

If I run this script as root on the target server, it works.

Now I have following questions:
1. how to run this script from another machine as root? I added "setuid 0" into the script but it didn't work.
2. how to make sysauto user not need a password from another server?

1. ssh root@target_server scriptname

2. set up an ssh key as a few of us suggested,
and also try the "command=" variant I described above.
It works very smoothly - you won't even have to type in a program name.

NiallB

Quote:

Originally posted by niallb 1. ssh root@target_server scriptname 2. set up an ssh key as a few of us suggested, and also try the "command=" variant I described above. It works very smoothly - you won't even have to type in a program name. NiallB

Thanks!

Why I cannot do that using sysauto user? In the target server, I read the authorized_keys2 under ../sysauto/.ssh, it's root@server. Does it mean sysauto
will also log in as root?

Henry

And again the question: why do you need to restart
the dhcp server remotely?


Cheers,
Tink

Hi

If you have done all correct with the private/public keys AND your sysauto has the privilage to start/stop dhcpd then it works.
Try first something simple.

ssh sysauto@host
And your are on the remote macine.

Then AS sysauto run dhcop manually, if it works it works with scripta too. If not, sysauot doesn't have the rights!

/Fredrik

Quote:

Originally posted by hueofwind Thanks! Why I cannot do that using sysauto user? In the target server, I read the authorized_keys2 under ../sysauto/.ssh, it's root@server. Does it mean sysauto will also log in as root? Henry

Hi Henry,
the entry in the authorized_keys2 file saying root@server is really just a note.
It will not affect privileges.

It suggests that the key was generated by root on server, and suggests
also that root@server can probably log in as 'sysauto' without a password.

Is it possible that you have things set up correctly but in reverse?

NiallB

Quote:

Originally posted by Tinkster And again the question: why do you need to restart the dhcp server remotely? Cheers, Tink

Well, we have two DHCP A and B, they share a same dhcpd.conf. Every night server A will update the dhcpd.conf and put it into both servers and then restart dhcpd services on both machines.

Hmmm ... in that case (assuming they're time-synced, too) why
don't you run the restart of dhcpd on server B from a cron-job
with a 1 minute delay rather than setting up a complicated remote
execution scenario?


Cheers,
Tink

Quote:

Originally posted by Tinkster Hmmm ... in that case (assuming they're time-synced, too) why don't you run the restart of dhcpd on server B from a cron-job with a 1 minute delay rather than setting up a complicated remote execution scenario? Cheers, Tink

Thanks for ur suggestion. It's one solution.

But I cannot understand that why setuid doesn't work! I wrote a script updatedhcpd.sh in which:
/etc/init.d/dhcpd restart
and I set this script setuid attribute like this:
-rwsr-xr-x 1 root root 38 Nov 23 11:44 updatedhcpd.sh

When I run this script as other user, it still fails with the following information:
Shutting down dhcpd: ./dhcpd: line 196: kill: (927) - Operation not permitted
./dhcpd: line 201: kill: (927) - Operation not permitted
rm: cannot remove `/var/run/dhcpd.pid': Permission denied

But it succeeds if I run this script as root.

Who can tell me why setuid doesn't work here?

Thanks!