On 11/09/2006 16:56, Kirk Strauser wrote:
> On Monday 11 September 2006 09:20, Karol Kwiatkowski wrote:
>> Good day everyone,
>> I'm trying to make it possible to restart (as in 'shutdown -r now') a
>> FreeBSD based router from LAN network as easy as possible so it can be
>> used by non-technical people.
> First of all, it's easy enough to do this securely that you might as well do 
> it.  Install sudo, and use "visudo" to create a sudoers file with entries 
> like:
>    User_Alias    REBOOTERS = username1,username2,username3
>    REBOOTERS     ALL = (root) NOPASSWD: /sbin/reboot
> Next, create a reboot script for them:
>    # cat /usr/local/sbin/reboot.sh
>    sudo /sbin/reboot
> Finally, use OpenSSH's built-in options to run the script at login.  From 
> sshd(8):
>      [....]
>      command="command"
>              Specifies that the command is executed whenever this key is used
>              for authentication.
> So, make each user's authorized_keys file look something like:
> ssh-rsa [long base64 string] [EMAIL PROTECTED] 
> command="/usr/local/sbin/reboot.sh"
> Alternatively, do all the above for one single account: your "restart" user.  
> Use authorized_keys to limit which of your real users has access to reboot 
> the machine, and use "ssh -l restart balkyrouter.example.com" to trigger it.  
> You could even go so far as to add a clause to /etc/ssh/ssh_config (or 
> ~/.ssh/config for each individual user) like:
> Host rebootrouter
>     Hostname balkyrouter.example.com
>     User restart
> so that your users just run "ssh rebootrouter".
> So, to recap, when a user logs in, the reboot.sh script will be executed.  It 
> will use sudo to run the reboot command as root, without prompting the user 
> to enter any password.  It's easy, it works, and it doesn't require any 
> setuid trickery or special accounts or anything else.

Hi Kirk,

I wasn't aware of 'command' option in authorized_keys file and that's
exactly what I need :)

The rest is more or less what I was thinking of with the exception I
tried to avoid installing sudo just to do this.

So here's what I ended up with:

- user 'restart' in group 'operator' (I need another user because
there are no 'normal' users on the router except me)
- public/private key par for authorization
- command="/sbin/shutdown -r now" in /home/restart/.ssh/authorized_keys

Works as expected even with windows/putty clients :)

Thanks for your reply.


Karol Kwiatkowski  <freebsd at orchid dot homeunix dot org>
OpenPGP: http://www.orchid.homeunix.org/carlos/gpg/0x06E09309.asc

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to