[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: allowing users to update stuff on the server

On Thu, Jan 16, 2003 at 05:44:28PM +0100, martin f krafft wrote:
> First off, please excuse the missins subject.
> > let's say everything works on the server, all i need is a method to
> > authenticate a user and upon successful authentication, pass the IP
> > s/he used for the authentication on to a script that takes care of the
> > edit.
> > 
> > There exists a fake POP3 server that does exactly this (it always
> > serves an empty mailbox), but it's cleartext. I would like at least
> > SSL, and asymmetric authentication with certificates would be the
> > best.
> Then, I was thinking of SSH. Is there a way to obtain the fingerprint,
> ID, or another bit of information about the RSA/DSA key used to login
> to sshd? let's say I have an account dyndns which can modify
> a specific zone file. I add the ssh keys from users who are allowed to
> interact with dyndns to the authorized_keys file. now if i can get at
> the key ID used to login, i have all that i need.

Well, it is possible to have the key fingerprint logged; see the last
message of #75043. However, that probably isn't what you want.

I think you should use a forced command in authorized_keys. For example,
I have one such file that contains this line:

  command="userv dyndns dyndns dynamic.greenend.org.uk riva",no-pty,no-port-forwarding 1024 35 145413580969648476044072749424723997577855609708600898296078782540051360757631277317814917027038279588528053774482503019012709429846592053864406645721891713477828254982531683029630103055847963503784826642231356729554071003805850344215815518908121062306905784894054069613278599523363884251674573384786501899737 cjwatson@arborlon

When ssh'ing in using that single-purpose key, that command is executed,
and you get to give it whatever arguments you like. Those should serve
to disambiguate among users.

If you need security between users as well, then using userv as above
may help. Give them each their own account, if necessary disabled except
for a single authorized_keys entry with a forced command. Set up a userv
service which knows how to check users against the dynamic DNS entries
they're allowed to update. Not perhaps the easiest thing in the world to
set up, but it's possible.

Colin Watson                                  [cjwatson@flatline.org.uk]

Reply to: