On 11/09/2006 16:56, Kirk Strauser wrote: > On Monday 11 September 2006 09:20, Karol Kwiatkowski wrote: >> Good day everyone, >> >> I'm trying to make it possible to restart (as in 'shutdown -r now') a >> FreeBSD based router from LAN network as easy as possible so it can be >> used by non-technical people. > > First of all, it's easy enough to do this securely that you might as well do > it. Install sudo, and use "visudo" to create a sudoers file with entries > like: > > User_Alias REBOOTERS = username1,username2,username3 > REBOOTERS ALL = (root) NOPASSWD: /sbin/reboot > > Next, create a reboot script for them: > > # cat /usr/local/sbin/reboot.sh > sudo /sbin/reboot > > Finally, use OpenSSH's built-in options to run the script at login. From > sshd(8): > > AUTHORIZED_KEYS FILE FORMAT > > [....] > > command="command" > Specifies that the command is executed whenever this key is used > for authentication. > > So, make each user's authorized_keys file look something like: > > ssh-rsa [long base64 string] [EMAIL PROTECTED] > command="/usr/local/sbin/reboot.sh" > > Alternatively, do all the above for one single account: your "restart" user. > Use authorized_keys to limit which of your real users has access to reboot > the machine, and use "ssh -l restart balkyrouter.example.com" to trigger it. > You could even go so far as to add a clause to /etc/ssh/ssh_config (or > ~/.ssh/config for each individual user) like: > > Host rebootrouter > Hostname balkyrouter.example.com > User restart > > so that your users just run "ssh rebootrouter". > > So, to recap, when a user logs in, the reboot.sh script will be executed. It > will use sudo to run the reboot command as root, without prompting the user > to enter any password. It's easy, it works, and it doesn't require any > setuid trickery or special accounts or anything else.
Hi Kirk, I wasn't aware of 'command' option in authorized_keys file and that's exactly what I need :) The rest is more or less what I was thinking of with the exception I tried to avoid installing sudo just to do this. So here's what I ended up with: - user 'restart' in group 'operator' (I need another user because there are no 'normal' users on the router except me) - public/private key par for authorization - command="/sbin/shutdown -r now" in /home/restart/.ssh/authorized_keys Works as expected even with windows/putty clients :) Thanks for your reply. Karol -- Karol Kwiatkowski <freebsd at orchid dot homeunix dot org> OpenPGP: http://www.orchid.homeunix.org/carlos/gpg/0x06E09309.asc
Description: OpenPGP digital signature