Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: How to securely invoke a Solaris privildged command (root) remotely?
Operating Systems Solaris How to securely invoke a Solaris privildged command (root) remotely? Post 302267974 by topstuff on Sunday 14th of December 2008 07:08:27 PM
Old 12-14-2008
How to securely invoke a Solaris privildged command (root) remotely?
Hi,
What I would like to do "securely" is the following.

From one central server invoke a script that does the following.
--Store user/name passwords. (password possibly encrypted in config file)
--From the central server invoke a privileged command (i.e. route add) on multiple servers.

High-level Steps:

1. User logs in Central Server
2. User Invokes "the script"
3. "The Script" --> SSH to <server(s)>, script invokes "privileged command", User has sudo-access to the "privileged command" only (everything should be logged).

Question:
What security issues can I potentially have with the above approach?
Is there other obvious (standard??) way to invoke privileged commands remotely that do not require some sort of agent running on each server? (Do I need an agent on each box??)
Would the new feature of Solaris 10 privileges help me in any way?


Your thoughts/advice on the above would be greatly appreciated.

Thanks
Sam
 

9 More Discussions You Might Find Interesting

1. Solaris

remotely Install netbackup on solaris

Hello - Could you please let me know where do I get the installer for installing netbackup on solaris 10 X86 ? along with the instructions? Thank you. (1 Reply)
Discussion started by: panchpan
1 Replies

2. Solaris

installing solaris securely

Ok, I am trying to install solaris, but I would like as a lean installation as possible (while still having a shread of functionality). If I chose the minimal install I have little if no utilities to do work on the box. My question is what installation method do most admins take? ... (7 Replies)
Discussion started by: liven
7 Replies

3. UNIX for Advanced & Expert Users

change passwd remotely in solaris 10

i'm trying to change passwd remotely in unix (solaris) and tried using "expect" but it is not working. Any ideas to change the passwd remotely using a shell script? (1 Reply)
Discussion started by: pharos467
1 Replies

4. Shell Programming and Scripting

How can i invoke SU command in shell script

Hi All , i am trying to switch user (from unix1 to unix 2 ) The user will give me the input and also the password . also how can i login into with the password . itried several attempts . no luck Can any one help on this !!! (4 Replies)
Discussion started by: raghav1982
4 Replies

5. Shell Programming and Scripting

invoke fork command

Hi, I have startup shell script called "xxxxx" for Jboss server which is taking more than expected timeline to complete the process, here I want to use the fork command to start the child process for non dependent component I have a scheduler called "yyyy" which is currently getting invoked... (2 Replies)
Discussion started by: harish76
2 Replies

6. Shell Programming and Scripting

Change root password remotely

Hi All, Hope you all doing well...!!! First of all i will like to share few information about my network. I have a network of 50 solaris servers sample IPs are (10.2.135.1 to 10.2.135.50).. i have created trust for root user of servers 1(10.2.135.1) in all other servers, that is i have shared... (4 Replies)
Discussion started by: varunksharma87
4 Replies

7. Solaris

Solaris 11 Express - cannot reboot remotely

I have installed Solaris 11 Express on my machine. I have problems trying to reboot the computer remotely. When I log to the local console as the root-user and run reboot everything is fine. But when I log in remotely from a Windows machine using putty and do the same, the computer... (3 Replies)
Discussion started by: RychnD
3 Replies

8. Shell Programming and Scripting

invoke this command after every 10 mins

Hi, I have an command which find the files modified within last 3 days and then after selecting the files from the location it make the tar format and send it to the specified destination ...now I want that this task to be automative ..that is it should happen after every 5 minutes ..plz guide me... (5 Replies)
Discussion started by: Neera
5 Replies

9. Solaris

How to remotely start ssh on Solaris?

Hi everyone, I have a Solaris machine: SunOS 5.10 Generic_127127-11 sun4v sparc SUNW,SPARC-Enterprise-T5220 After reboot, I can't ssh to this machine. Error message: ssh: connect to host xxxx port 22: Connection refused It seems ssh daemon is not running, but I don't have... (5 Replies)
Discussion started by: Zaiwen Gong
5 Replies

LEARN ABOUT PHP

systemd-ask-password

SYSTEMD-ASK-PASSWORD(1) 				       systemd-ask-password					   SYSTEMD-ASK-PASSWORD(1)

NAME

       systemd-ask-password - Query the user for a system password

SYNOPSIS

       systemd-ask-password [OPTIONS...] [MESSAGE]

DESCRIPTION

       systemd-ask-password may be used to query a system password or passphrase from the user, using a question message specified on the command
       line. When run from a TTY it will query a password on the TTY and print it to standard output. When run with no TTY or with --no-tty it
       will use the system-wide query mechanism, which allows active users to respond via several agents, listed below.

       The purpose of this tool is to query system-wide passwords -- that is passwords not attached to a specific user account. Examples include:
       unlocking encrypted hard disks when they are plugged in or at boot, entering an SSL certificate passphrase for web and VPN servers.

       Existing agents are:

       o   A boot-time password agent asking the user for passwords using plymouth(8),

       o   A boot-time password agent querying the user directly on the console -- systemd-ask-password-console.service(8),

       o   An agent requesting password input via a wall(1) message -- systemd-ask-password-wall.service(8),

       o   A TTY agent that is temporarily spawned during systemctl(1) invocations,

       o   A command line agent which can be started temporarily to process queued password requests -- systemd-tty-ask-password-agent --query.

       Answering system-wide password queries is a privileged operation, hence all the agents listed above (except for the last one), run as
       privileged system services. The last one also needs elevated privileges, so should be run through sudo(8) or similar.

       Additional password agents may be implemented according to the systemd Password Agent Specification[1].

       If a password is queried on a TTY, the user may press TAB to hide the asterisks normally shown for each character typed. Pressing Backspace
       as first key achieves the same effect.

OPTIONS

       The following options are understood:

       --icon=
	   Specify an icon name alongside the password query, which may be used in all agents supporting graphical display. The icon name should
	   follow the XDG Icon Naming Specification[2].

       --id=
	   Specify an identifier for this password query. This identifier is freely choosable and allows recognition of queries by involved
	   agents. It should include the subsystem doing the query and the specific object the query is done for. Example:
	   "--id=cryptsetup:/dev/sda5".

       --keyname=
	   Configure a kernel keyring key name to use as cache for the password. If set, then the tool will try to push any collected passwords
	   into the kernel keyring of the root user, as a key of the specified name. If combined with --accept-cached, it will also try to
	   retrieve such cached passwords from the key in the kernel keyring instead of querying the user right away. By using this option, the
	   kernel keyring may be used as effective cache to avoid repeatedly asking users for passwords, if there are multiple objects that may be
	   unlocked with the same password. The cached key will have a timeout of 2.5min set, after which it will be purged from the kernel
	   keyring. Note that it is possible to cache multiple passwords under the same keyname, in which case they will be stored as
	   NUL-separated list of passwords. Use keyctl(1) to access the cached key via the kernel keyring directly. Example:
	   "--keyname=cryptsetup"

       --timeout=
	   Specify the query timeout in seconds. Defaults to 90s. A timeout of 0 waits indefinitely.

       --echo
	   Echo the user input instead of masking it. This is useful when using systemd-ask-password to query for usernames.

       --no-tty
	   Never ask for password on current TTY even if one is available. Always use agent system.

       --accept-cached
	   If passed, accept cached passwords, i.e. passwords previously entered.

       --multiple
	   When used in conjunction with --accept-cached accept multiple passwords. This will output one password per line.

       --no-output
	   Do not print passwords to standard output. This is useful if you want to store a password in kernel keyring with --keyname but do not
	   want it to show up on screen or in logs.

       -h, --help
	   Print a short help text and exit.

EXIT STATUS

       On success, 0 is returned, a non-zero failure code otherwise.

SEE ALSO

       systemd(1), systemd-ask-password-console.service(8), systemd-tty-ask-password-agent(1), keyctl(1), plymouth(8), wall(1)

NOTES

	1. systemd Password Agent Specification
	   https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents

	2. XDG Icon Naming Specification
	   http://standards.freedesktop.org/icon-naming-spec/icon-naming-spec-latest.html

systemd 237														   SYSTEMD-ASK-PASSWORD(1)
All times are GMT -4. The time now is 08:47 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy