LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-10-2007, 03:34 AM   #1
sinister1
Member
 
Registered: Jul 2007
Posts: 70

Rep: Reputation: 15
loginscript--run script-- logout


All,

I have an server. On this server there is a process which has the ability to start|stop|restart through an init.d script.

There is one user that may execute these actions.

The following we had in mind:

User makes a ssh login;
Script runs automatically and gives the three options;
User picks an option; (Option is being carried out)
User automatically logs out;

The user may not interrupt the script in any way.

Any idea where to start?

done so far:

Making an account named test who can only go to his home directory;
some editting in the ~/.bash_profile

Last edited by sinister1; 12-10-2007 at 04:01 AM.
 
Old 12-10-2007, 10:05 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592
Quote:
Originally Posted by sinister1 View Post
Any idea where to start?
Two things: finding threads at LQ about a) sudo and b) using a (wrapper) script instead of a login shell.
 
Old 12-10-2007, 05:17 PM   #3
Lotharster
Member
 
Registered: Nov 2005
Posts: 144

Rep: Reputation: 18
There is an elegant way to solve this problem - already built into ssh:

1.) Generate a public/private key pair for ssh authentication on your client machine:
Code:
$ ssh-keygen -t rsa
If you want, you can provide an empty password for the key, in that case any user with access to the key file can start the init script.

2.) Transfer the public key (*.pub) to the server and attach it to the authorized_keys file of the user "test"
Code:
$ cat insert_name_of_key_here.pub>> ~/.ssh/authorized_keys
3.) Make testing script on the server. Make it executable and put it in a place where you will find it again. I used the following to test:
Code:
#!/bin/bash
echo -n "Enter text: "
read inp
echo "Text entered: $inp"
echo $inp >/tmp/testdatei
4.) Edit the authorized_keys file on the server. Its last line will look something like this:
Code:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0OdXOI7Do22URpJXEYiRgV0Vd5/NXvyziwbuaOpGX4Ww2Knheci
jwcjeiwjojicojwjecjiojweiojcijwjecjijweioioxkGIUGIUGIUjJHJPPOOoopoiasaljceiwoehchwohchowlUK4a
guiNMp01KvQxPrrjw== user@client_machine
Add the following code on the same line in front of ssh-rsa:
Code:
command="/path/to/script"
Done.

Now you can use the private key file you generated in step 1 to login to your server:
Code:
$ ssh -i private_key_file user@server
Whenever you connect using this private key file, the script will be interactively executed on the server machine. When the script terminates, the ssh session will end.

I read this in some tutorial but I cannot find the link now. This should also be explained in some ssh or sshd man-page.

Lotharster
 
Old 12-10-2007, 06:14 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592
Quote:
Originally Posted by Lotharster View Post
There is an elegant way to solve this problem
Good one. At least for half of the problem since AFAIK no unprivileged user can nor should be able to manage services in /etc/init.d and doing this as root account user logging in over any network is not advisable.
 
Old 12-12-2007, 01:46 AM   #5
sinister1
Member
 
Registered: Jul 2007
Posts: 70

Original Poster
Rep: Reputation: 15
Great Lotharster!!

I will try it.

I let you know the result.

Grt,

Jaap
 
Old 01-16-2008, 07:25 AM   #6
sinister1
Member
 
Registered: Jul 2007
Posts: 70

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by Lotharster View Post
There is an elegant way to solve this problem - already built into ssh:

1.) Generate a public/private key pair for ssh authentication on your client machine:
Code:
$ ssh-keygen -t rsa
If you want, you can provide an empty password for the key, in that case any user with access to the key file can start the init script.

2.) Transfer the public key (*.pub) to the server and attach it to the authorized_keys file of the user "test"
Code:
$ cat insert_name_of_key_here.pub>> ~/.ssh/authorized_keys
3.) Make testing script on the server. Make it executable and put it in a place where you will find it again. I used the following to test:
Code:
#!/bin/bash
echo -n "Enter text: "
read inp
echo "Text entered: $inp"
echo $inp >/tmp/testdatei
4.) Edit the authorized_keys file on the server. Its last line will look something like this:
Code:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0OdXOI7Do22URpJXEYiRgV0Vd5/NXvyziwbuaOpGX4Ww2Knheci
jwcjeiwjojicojwjecjiojweiojcijwjecjijweioioxkGIUGIUGIUjJHJPPOOoopoiasaljceiwoehchwohchowlUK4a
guiNMp01KvQxPrrjw== user@client_machine
Add the following code on the same line in front of ssh-rsa:
Code:
command="/path/to/script"
Done.

Now you can use the private key file you generated in step 1 to login to your server:
Code:
$ ssh -i private_key_file user@server
Whenever you connect using this private key file, the script will be interactively executed on the server machine. When the script terminates, the ssh session will end.

I read this in some tutorial but I cannot find the link now. This should also be explained in some ssh or sshd man-page.

Lotharster
It seems that the command="/path/to/script" doesn't work. If i put it in front of my key the key isn't working anymore. Does anyone have a bright idea?
 
Old 01-16-2008, 10:44 AM   #7
Lotharster
Member
 
Registered: Nov 2005
Posts: 144

Rep: Reputation: 18
You have to replace "path/tp/script" with the script (full pathname) you want to be executed on login.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Script run as user login or logout in Vsftpd server singhpps Linux - Software 4 11-27-2010 11:06 AM
would script run after logout? mokku Linux - Newbie 3 12-03-2007 11:21 AM
Loginscript for Debian Sarge GSX Linux - Newbie 1 02-25-2005 12:12 AM
On gnome / x logout run "logout" ?? once here Linux - Software 1 01-09-2004 02:53 PM
loginscript running at bootup saavik Linux - Networking 2 11-12-2002 07:15 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:57 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration