I'm using Solaris 11.2. I can do this:
logon with an unprivileged account which is allowed to take on the 'root' role su type password run privileged command end the su
This works fine. The privileged command I want to run, though, is to SSH to another system with the same account and run the command *there* as the remotely privileged account/role, all from a script and without (obviously) having to type a password anywhere.
I've figured out how to do all this IF root is *not* a role and is a regular account. How do I do it while leaving root as a role?
Kevin
Could some of the more specific options in the authorized_keys file help? On the second server you could use the command="privileged command" option (man sshd, look for AUTHORIZED_KEYS FILE FORMAT). So you'd be setting up passwordless ssh with a particular key, but that key would be running a single command and then exiting.
Sean
On Thu, Mar 5, 2015 at 2:33 PM, Kevin McGregor kevin.a.mcgregor@gmail.com wrote:
I'm using Solaris 11.2. I can do this:
logon with an unprivileged account which is allowed to take on the 'root' role su type password run privileged command end the su
This works fine. The privileged command I want to run, though, is to SSH to another system with the same account and run the command *there* as the remotely privileged account/role, all from a script and without (obviously) having to type a password anywhere.
I've figured out how to do all this IF root is *not* a role and is a regular account. How do I do it while leaving root as a role?
Kevin
Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
On 2015-03-05 Kevin McGregor wrote:
I'm using Solaris 11.2. I can do this:
logon with an unprivileged account which is allowed to take on the 'root' role su type password run privileged command end the su
This works fine. The privileged command I want to run, though, is to SSH to another system with the same account and run the command *there* as the remotely privileged account/role, all from a script and without (obviously) having to type a password anywhere.
But your manual process outlined has you typing the password (for su). If you can't have it be passwordless manually, how can you make it passwordless when scripted? Give us a manual step-by-step process first that is passwordless, then we'll worry about scripting it. :-)
Why is ssh privileged on the middle system? Can't just any user ssh to the final box?
I've figured out how to do all this IF root is *not* a role and is a regular account. How do I do it while leaving root as a role?
Sorry, I can't help with roles, I don't use Solaris.
Augh. Sorry for the lame-ass question. Forget what I said. Anyway:
So, two Solaris 11.2 systems. On one of them I want to run this in a cron job: zfs send -RI ${lastsnap} rpool/zones/${zone}@${currsnap} | ssh ${desthost} "zfs recv -o canmount=off -o compression=on -dFuv rpool" or more generically <command I run as root> | ssh <dest-host> "command I need to run as root"
I can set up the SSH keys so this works without passwords, but I only understand how to make that work when 'root' is an account and not a "role". So I guess I should look into how to run commands with a specific user account which can run the zfs command and set up the SSH keys so it works without requiring a password.
On Thu, Mar 5, 2015 at 10:43 PM, Trevor Cordes trevor@tecnopolis.ca wrote:
On 2015-03-05 Kevin McGregor wrote:
I'm using Solaris 11.2. I can do this:
logon with an unprivileged account which is allowed to take on the 'root' role su type password run privileged command end the su
This works fine. The privileged command I want to run, though, is to SSH to another system with the same account and run the command *there* as the remotely privileged account/role, all from a script and without (obviously) having to type a password anywhere.
But your manual process outlined has you typing the password (for su). If you can't have it be passwordless manually, how can you make it passwordless when scripted? Give us a manual step-by-step process first that is passwordless, then we'll worry about scripting it. :-)
Why is ssh privileged on the middle system? Can't just any user ssh to the final box?
I've figured out how to do all this IF root is *not* a role and is a regular account. How do I do it while leaving root as a role?
Sorry, I can't help with roles, I don't use Solaris. _______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
On 2015-03-06 Kevin McGregor wrote:
Augh. Sorry for the lame-ass question. Forget what I said. Anyway:
<command I run as root> | ssh <dest-host> "command I need to run as root"
I can set up the SSH keys so this works without passwords, but I only understand how to make that work when 'root' is an account and not a "role". So I guess I should look into how to run commands with a specific user account which can run the zfs command and set up the SSH keys so it works without requiring a password.
1. Setup sudo(ers) (I'm sure Solaris has an equivalent?) for the "command I need to run as root" on <dest-host> so that the normal user can run said command as root without root creds or pw's at all.
or
2. Allow root login in ssh and lock down that box's firewall (if it has one) to only allow ssh from trusted IPs. If you want to make that policy leap, and are allowed to. (Sure, it's not perfect.) I never understood, really, why people don't like ssh allow-root, because a determined hacker who got your user creds can just plant a logger and capture your root creds when you first su into root anyhow, or just get your root creds the same way they got your user creds. And root escalation vulns are the most common thing around. So all you do is slow them down a bit, which is a good thing mind you, but root ssh is *so* handy to have... but I digress.
Again, I have no idea about Solaris "roles" and how it helps/hinders you. Perhaps you could give a brief explanation of Solaris roles? If for nothing more than my curiosity.
Sorry if the linux-ish of my answers is unhelpful for Solaris. I tried, so you're not left with nothing but crickets.
On 7 Mar 2015, at 02:39, Trevor Cordes trevor@tecnopolis.ca wrote:
On 2015-03-06 Kevin McGregor wrote:
Augh. Sorry for the lame-ass question. Forget what I said. Anyway:
<command I run as root> | ssh <dest-host> "command I need to run as root"
I can set up the SSH keys so this works without passwords, but I only understand how to make that work when 'root' is an account and not a "role". So I guess I should look into how to run commands with a specific user account which can run the zfs command and set up the SSH keys so it works without requiring a password.
- Setup sudo(ers) (I'm sure Solaris has an equivalent?) for the
"command I need to run as root" on <dest-host> so that the normal user can run said command as root without root creds or pw's at all.
or
- Allow root login in ssh and lock down that box's firewall (if it has
one) to only allow ssh from trusted IPs. If you want to make that policy leap, and are allowed to. (Sure, it's not perfect.) I never understood, really, why people don't like ssh allow-root, because a determined hacker who got your user creds can just plant a logger and capture your root creds when you first su into root anyhow, or just get your root creds the same way they got your user creds. And root escalation vulns are the most common thing around. So all you do is slow them down a bit, which is a good thing mind you, but root ssh is *so* handy to have... but I digress.
Again, I have no idea about Solaris "roles" and how it helps/hinders you. Perhaps you could give a brief explanation of Solaris roles? If for nothing more than my curiosity.
Sorry if the linux-ish of my answers is unhelpful for Solaris. I tried, so you're not left with nothing but crickets.
I read the following blog the other day with one guys struggles (and success) to do zfs send/receive as non-root: http://dan.langille.org/2015/02/16/zfs-send-zfs-receive-as-non-root/
This blog was written using FreeBSD, so I'm not sure if the zfs allow commands would work on Solaris, but since ZFS comes from Solaris first I'd kind of assume so.
-
Kevin McGregor -
Sean Walberg -
Theodore Baschak -
Trevor Cordes