LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   loginscript--run script-- logout (https://www.linuxquestions.org/questions/linux-security-4/loginscript-run-script-logout-605749/)

sinister1 12-10-2007 03:34 AM
loginscript--run script-- logout
 
All,

I have an server. On this server there is a process which has the ability to start|stop|restart through an init.d script.

There is one user that may execute these actions.

The following we had in mind:

User makes a ssh login;
Script runs automatically and gives the three options;
User picks an option; (Option is being carried out)
User automatically logs out;

The user may not interrupt the script in any way.

Any idea where to start?

done so far:

Making an account named test who can only go to his home directory;
some editting in the ~/.bash_profile

unSpawn 12-10-2007 10:05 AM
Quote:
Originally Posted by sinister1 (Post 2985731)
Any idea where to start?
Two things: finding threads at LQ about a) sudo and b) using a (wrapper) script instead of a login shell.

Lotharster 12-10-2007 05:17 PM
There is an elegant way to solve this problem - already built into ssh:

1.) Generate a public/private key pair for ssh authentication on your client machine:
Code:
$ ssh-keygen -t rsa
If you want, you can provide an empty password for the key, in that case any user with access to the key file can start the init script.

2.) Transfer the public key (*.pub) to the server and attach it to the authorized_keys file of the user "test"
Code:
$ cat insert_name_of_key_here.pub>> ~/.ssh/authorized_keys
3.) Make testing script on the server. Make it executable and put it in a place where you will find it again. I used the following to test:
Code:
#!/bin/bash
echo -n "Enter text: "
read inp
echo "Text entered: $inp"
echo $inp >/tmp/testdatei
4.) Edit the authorized_keys file on the server. Its last line will look something like this:
Code:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0OdXOI7Do22URpJXEYiRgV0Vd5/NXvyziwbuaOpGX4Ww2Knheci
jwcjeiwjojicojwjecjiojweiojcijwjecjijweioioxkGIUGIUGIUjJHJPPOOoopoiasaljceiwoehchwohchowlUK4a
guiNMp01KvQxPrrjw== user@client_machine
Add the following code on the same line in front of ssh-rsa:
Code:
command="/path/to/script"
Done.

Now you can use the private key file you generated in step 1 to login to your server:
Code:
$ ssh -i private_key_file user@server
Whenever you connect using this private key file, the script will be interactively executed on the server machine. When the script terminates, the ssh session will end.

I read this in some tutorial but I cannot find the link now. This should also be explained in some ssh or sshd man-page.

Lotharster

unSpawn 12-10-2007 06:14 PM
Quote:
Originally Posted by Lotharster (Post 2986490)
There is an elegant way to solve this problem
Good one. At least for half of the problem since AFAIK no unprivileged user can nor should be able to manage services in /etc/init.d and doing this as root account user logging in over any network is not advisable.

sinister1 12-12-2007 01:46 AM
Great Lotharster!!

I will try it.

I let you know the result.

Grt,

Jaap

sinister1 01-16-2008 07:25 AM
Quote:
Originally Posted by Lotharster (Post 2986490)
There is an elegant way to solve this problem - already built into ssh:

1.) Generate a public/private key pair for ssh authentication on your client machine:
Code:
$ ssh-keygen -t rsa
If you want, you can provide an empty password for the key, in that case any user with access to the key file can start the init script.

2.) Transfer the public key (*.pub) to the server and attach it to the authorized_keys file of the user "test"
Code:
$ cat insert_name_of_key_here.pub>> ~/.ssh/authorized_keys
3.) Make testing script on the server. Make it executable and put it in a place where you will find it again. I used the following to test:
Code:
#!/bin/bash
echo -n "Enter text: "
read inp
echo "Text entered: $inp"
echo $inp >/tmp/testdatei
4.) Edit the authorized_keys file on the server. Its last line will look something like this:
Code:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0OdXOI7Do22URpJXEYiRgV0Vd5/NXvyziwbuaOpGX4Ww2Knheci
jwcjeiwjojicojwjecjiojweiojcijwjecjijweioioxkGIUGIUGIUjJHJPPOOoopoiasaljceiwoehchwohchowlUK4a
guiNMp01KvQxPrrjw== user@client_machine
Add the following code on the same line in front of ssh-rsa:
Code:
command="/path/to/script"
Done.

Now you can use the private key file you generated in step 1 to login to your server:
Code:
$ ssh -i private_key_file user@server
Whenever you connect using this private key file, the script will be interactively executed on the server machine. When the script terminates, the ssh session will end.

I read this in some tutorial but I cannot find the link now. This should also be explained in some ssh or sshd man-page.

Lotharster
It seems that the command="/path/to/script" doesn't work. If i put it in front of my key the key isn't working anymore. Does anyone have a bright idea?

Lotharster 01-16-2008 10:44 AM
You have to replace "path/tp/script" with the script (full pathname) you want to be executed on login.


All times are GMT -5. The time now is 11:39 PM.