Re: Updating files in /etc Remotely (and automated)

To: debian-user@lists.debian.org
Subject: Re: Updating files in /etc Remotely (and automated)
From: Hal Vaughan <hal@halblog.com>
Date: Sun, 12 Sep 2010 14:35:00 -0400
Message-id: <[🔎] 0EA47E68-49ED-4F32-A91B-4379E27E45DC@halblog.com>
In-reply-to: <[🔎] 20100912163733.GB29852@aurora.owens.net>
References: <[🔎] EF953506-5924-409C-B345-B43C694DD3B6@halblog.com> <[🔎] 20100912145107.GA29195@aurora.owens.net> <[🔎] 9229C387-BB4B-4004-834A-3BEA7FA77E0D@halblog.com> <[🔎] 20100912163733.GB29852@aurora.owens.net>

On Sep 12, 2010, at 12:37 PM, Rob Owens wrote:
>>>> ...
>>> When using ssh keys to log in, you can specify (in
>>> ~/.ssh/authorized_keys) a command which will automatically run when that
>>> key is used to log in.  And that key will be useless to do anything
>>> else.  Simply using that key to conenct to the remote server will run 
>>> that command.
>>> 
>>> The authorized_keys file would look something like this:
>>> 
>>> command="/path/to/my/script" ssh-rsa AAAAB3NzaC1yc2EAAA.... me@myhost
>> 
>> I see.  That would make perfect sense and I see I can use -i to specify which key to use, so for normal situations, I just use "ssh host," and when I want this done, I do "ssh -i .ssh/special_key host" instead.
>> 
>> I thought I knew about authorized keys, but didn't know you could specify a command to be run in that file.
>> 
>>> You could use this to ssh into the remote server as root, or as a user
>>> with very specify sudo privileges that will allow your script to run.
>>> (The script would perform the file changes you need done, or simply
>>> rsync them from your local machine).
>> 
>> But if I'm not running as root, from what I can see, no matter what I do with sudo, I still have to type in a password, don't I?  using the authorized_keys file and specifying what can be done at login does a lot to help with security, but if I don't log in as root, no matter what I do, I'll still have to type in a password to use either "su" or "sudo," right?  Or is there a way around it?  I was going through man pages, but it seems both require a password to be typed in no matter what.
>> 
> In /etc/sudoers, you can specify "NOPASSWD", like this:
> 
> someuser	ALL=NOPASSWD: /path/to/some/command
> 
> Then "someuser" can run the specified command as root without typing a
> password.

When I tested this with some simple scripts, I find if I create a batch file that runs a few commands, like "chown root:root filename" that those commands, which would normally need the sudo command don't need it.

Is this because of the (usually) 5 minute time limit sudo uses?  Can I trust this on all systems, or is there anything that could prevent this behavior?  In other words, if I include, in the script, commands that also need sudo, am I right that I can count on them executing without further need of verification?

Thanks for anyone who can include more info on this!




Hal

Reply to:

Follow-Ups:
- Re: Updating files in /etc Remotely (and automated)
  - From: Rob Owens <rowens@ptd.net>

References:
- Updating files in /etc Remotely (and automated)
  - From: Hal Vaughan <hal@halblog.com>
- Re: Updating files in /etc Remotely (and automated)
  - From: Rob Owens <rowens@ptd.net>
- Re: Updating files in /etc Remotely (and automated)
  - From: Hal Vaughan <hal@halblog.com>
- Re: Updating files in /etc Remotely (and automated)
  - From: Rob Owens <rowens@ptd.net>

Prev by Date: Re: Updating files in /etc Remotely (and automated)
Next by Date: Re: Iceweasel stability issues after reading the browser straw poll
Previous by thread: Re: Updating files in /etc Remotely (and automated)
Next by thread: Re: Updating files in /etc Remotely (and automated)
Index(es):
- Date
- Thread