How to securely invoke a Solaris privildged command (root) remotely? Post: 302283314

Sponsored Content

Operating Systems Solaris How to securely invoke a Solaris privildged command (root) remotely? Post 302283314 by otheus on Tuesday 3rd of February 2009 04:57:03 AM

02-03-2009

Registered User

In general, use SSH to accomplish secure remote command execution. You create a public/private keypair for each user and distribute that user's public keys to all the other machines. Then you can securely have root log into another root host.

Quote:

What security issues can I potentially have with the above approach?

Many. If the "privileged command" can be tricked or fooled in some way, the security will be broken. If the "privileged command" is actually a script, there's a good chance this can be broken no matter what. If the command takes input from the user, there's a possibility the security can be broken. On the other hand, doing this is much better than allowing a user root access or allowing the user to run a script with sudo.

Quote:

Is there other obvious (standard??) way to invoke privileged commands remotely that do not require some sort of agent running on each server? (Do I need an agent on each box??)

Yes, but rsh is deemed broken by nearly all security experts. It works fairly well, however, in a LAN not connected to the internet and in which every NIC is using IPSEC or every port is locked to a MAC-Address, and in which all hostnames are kept statically on the /etc/hosts file of every hosts.

[code]
Would the new feature of Solaris 10 privileges help me in any way?[/QUOTE]

Yes, but they would not work in a heterogeneous network (mixed with other OS's).

otheus

View Public Profile for otheus

Find all posts by otheus

9 More Discussions You Might Find Interesting

1. Solaris

remotely Install netbackup on solaris

Hello - Could you please let me know where do I get the installer for installing netbackup on solaris 10 X86 ? along with the instructions? Thank you.

2. Solaris

installing solaris securely

Ok, I am trying to install solaris, but I would like as a lean installation as possible (while still having a shread of functionality). If I chose the minimal install I have little if no utilities to do work on the box. My question is what installation method do most admins take? ...

3. UNIX for Advanced & Expert Users

change passwd remotely in solaris 10

i'm trying to change passwd remotely in unix (solaris) and tried using "expect" but it is not working. Any ideas to change the passwd remotely using a shell script?

4. Shell Programming and Scripting

How can i invoke SU command in shell script

Hi All , i am trying to switch user (from unix1 to unix 2 ) The user will give me the input and also the password . also how can i login into with the password . itried several attempts . no luck Can any one help on this !!!

5. Shell Programming and Scripting

invoke fork command

Hi, I have startup shell script called "xxxxx" for Jboss server which is taking more than expected timeline to complete the process, here I want to use the fork command to start the child process for non dependent component I have a scheduler called "yyyy" which is currently getting invoked...

6. Shell Programming and Scripting

Change root password remotely

Hi All, Hope you all doing well...!!! First of all i will like to share few information about my network. I have a network of 50 solaris servers sample IPs are (10.2.135.1 to 10.2.135.50).. i have created trust for root user of servers 1(10.2.135.1) in all other servers, that is i have shared...

7. Solaris

Solaris 11 Express - cannot reboot remotely

I have installed Solaris 11 Express on my machine. I have problems trying to reboot the computer remotely. When I log to the local console as the root-user and run reboot everything is fine. But when I log in remotely from a Windows machine using putty and do the same, the computer...

8. Shell Programming and Scripting

invoke this command after every 10 mins

Hi, I have an command which find the files modified within last 3 days and then after selecting the files from the location it make the tar format and send it to the specified destination ...now I want that this task to be automative ..that is it should happen after every 5 minutes ..plz guide me...

9. Solaris

How to remotely start ssh on Solaris?

Hi everyone, I have a Solaris machine: SunOS 5.10 Generic_127127-11 sun4v sparc SUNW,SPARC-Enterprise-T5220 After reboot, I can't ssh to this machine. Error message: ssh: connect to host xxxx port 22: Connection refused It seems ssh daemon is not running, but I don't have...

LEARN ABOUT MOJAVE

hosts.equiv

HOSTS.EQUIV(5)						      BSD File Formats Manual						    HOSTS.EQUIV(5)

NAME

     hosts.equiv, .rhosts -- trusted remote hosts and host-user pairs

DESCRIPTION

     The hosts.equiv and .rhosts files list hosts and users which are ``trusted'' by the local host when a connection is made via rlogind(8),
     rshd(8), or any other server that uses ruserok(3).  This mechanism bypasses password checks, and is required for access via rsh(1).

     Each line of these files has the format:

	   hostname [username]

     The hostname may be specified as a host name (typically a fully qualified host name in a DNS environment) or address, +@netgroup (from which
     only the host names are checked), or a ``+'' wildcard (allow all hosts).

     The username, if specified, may be given as a user name on the remote host, +@netgroup (from which only the user names are checked), or a
     ``+'' wildcard (allow all remote users).

     If a username is specified, only that user from the specified host may login to the local machine.  If a username is not specified, any user
     may login with the same user name.

EXAMPLES

     somehost
	   A common usage:  users on somehost may login to the local host as the same user name.
     somehost username
	   The	user  username	on  somehost may login to the local host.  If specified in /etc/hosts.equiv, the user may login with only the same
	   user name.
     +@anetgroup username
	   The user username may login to the local host from any machine listed in the netgroup anetgroup.
     +
     + +
	   Two severe security hazards.  In the first case, allows a user on any machine to login to the local host as the same user name.  In the
	   second case, allows any user on any machine to login to the local host (as any user, if in /etc/hosts.equiv).

WARNINGS

     The username checks provided by this mechanism are not secure, as the remote user name is received by the server unchecked for validity.
     Therefore this mechanism should only be used in an environment where all hosts are completely trusted.

     A numeric host address instead of a host name can help security considerations somewhat; the address is then used directly by iruserok(3).

     When a username (or netgroup, or +) is specified in /etc/hosts.equiv, that user (or group of users, or all users, respectively) may login to
     the local host as any local user.	Usernames in /etc/hosts.equiv should therefore be used with extreme caution, or not at all.

     A .rhosts file must be owned by the user whose home directory it resides in, and must be writable only by that user.

     Logins as root only check root's .rhosts file; the /etc/hosts.equiv file is not checked for security.  Access permitted through root's
     .rhosts file is typically only for rsh(1), as root must still login on the console for an interactive login such as rlogin(1).

FILES

     /etc/hosts.equiv  Global trusted host-user pairs list
     ~/.rhosts	       Per-user trusted host-user pairs list

SEE ALSO

     rcp(1), rlogin(1), rsh(1), rcmd(3), ruserok(3), netgroup(5)

HISTORY

     The .rhosts file format appeared in 4.2BSD.

BUGS

     The ruserok(3) implementation currently skips negative entries (preceded with a ``-'' sign) and does not treat them as ``short-circuit'' neg-
     ative entries.

BSD
								 November 26, 1997							       BSD