[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Allowing unprivileged users to use some router functions
> I made a simple batch-script for windows who ssh in console
> (plink.exe if I remember correct)
> in my OpenBSDrouter and run the script "on" with the oath:
> "/usr/sbin/ppp -background ISP".
> And then and another batch-script to run "off" (kill
> PPP-stuff + logging). the on/off scripts are in /bin/ at my
> router. No messing with sudo or something like that, except
> in off, in case the other one has to turn off the PPP. There
> is also easy to tune each scripts to customize, which I have
> done. (rdate/another ISP) Those both batch-script (named
> on/off) are in his start-meny so that is easy for him to turn
> on/off. There is popping up a DOS-window, logging in my
> router, runs the scripts.
> Not pretty, but SMALL! ;)
I've done a similar thing, although the windows batch script does not
directly run the commands. I generated a few ssh keys pairs, and added a
user called 'remote' to the openbsd machine. I added the keys to the
'remote' users authorized_keys file and set each one to run a different
command. For example one of the public keys is prefixed with command="sudo
shutdown -h now", there are another two for connecting and disconnecting the
dial up connection.
Then in windows I've just got shortcuts that run
plink.exe -i shutdown.ppk remote@router
plink.exe -i connect.ppk remote@router
and so on.
It works nicely, from non windows machines too. The advantage over passing
the commands as arguments to plink is that it probably stops people
trivially changing them and running other commands.
> Works fine, execpt some stdout/stderr-stuff at his console
> related to "PPP Enabled" and/or "Chat script failed" are not
> show/hided. But not a problem for him anyway. I am not using
> windows, so I am not so keen to look at it to fix that. ;)
> Shut down? WHY?! ;)
> sudo will fix that together with plink.exe...
> Atle Kristensen
> Live Long And Prosper
> OpenBSD 3.4-beta GENERIC#135 i586 Pentium/MMX