Date: Tue, 13 Apr 2004 17:36:56 -0300 (EST)
From: <[EMAIL PROTECTED]>

>On Mon, 12 Apr 2004, Kevin D. Kinsey, DaleCo, S.P. wrote:
>
>|Root logins are disallowed by default on FreeBSD
>|for security reasons.  The recommended approach
>|is to log on an account that is a member of the
>|"wheel" group, and su(1) to root when necessary
>|for administrative purposes while doing your routine
>|work under a less-privileged UID...
>
>       But, what should be te correct approach when you want to copy
>root's files and/or remote execute programs as root with scripts using
>scp/ssh and key authentication?
>Like:
>
>       scp master.passwd host2:/etc/
>       or
>       ssh host2 'pwd_mkdb -p /etc/master.passwd'
>
>
>- Marcelo

To allow user fred to execute an arbitrary program, say ndc on a remote system:

1) allow fred to ssh with (and only with) [rd]sa keys, so that this works.

[EMAIL PROTECTED]> ssh remotesys echo foo
foo
[EMAIL PROTECTED]> 

2) on remotesys add the following to /whatever/etc/sudoers with "sudo visudo"

        fred  ALL = NOPASSWD:/usr/sbin/ndc

3) verify with

[EMAIL PROTECTED]> ssh remotesys sudo /usr/sbin/ndc restart

Options:
You can, if you feel the need, set fred's local ssh key to require a password.
Sudoers can be set to allow only a particular set of options to command.
For that, I create pseudo users for particular classes of tasks.

I haven't used su since I found sudo.  I've not logged in as root, save in a 
grave emergency in 7-8 years.  I've a CD which contains all the .ssh/auth_keys,
etc, and use it after installing a machine, and before plugging it in the net.
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to