Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: How to securely invoke a Solaris privildged command (root) remotely?
Operating Systems Solaris How to securely invoke a Solaris privildged command (root) remotely? Post 302283314 by otheus on Tuesday 3rd of February 2009 04:57:03 AM
Old 02-03-2009
In general, use SSH to accomplish secure remote command execution. You create a public/private keypair for each user and distribute that user's public keys to all the other machines. Then you can securely have root log into another root host.

Quote:
What security issues can I potentially have with the above approach?
Many. If the "privileged command" can be tricked or fooled in some way, the security will be broken. If the "privileged command" is actually a script, there's a good chance this can be broken no matter what. If the command takes input from the user, there's a possibility the security can be broken. On the other hand, doing this is much better than allowing a user root access or allowing the user to run a script with sudo.

Quote:
Is there other obvious (standard??) way to invoke privileged commands remotely that do not require some sort of agent running on each server? (Do I need an agent on each box??)
Yes, but rsh is deemed broken by nearly all security experts. It works fairly well, however, in a LAN not connected to the internet and in which every NIC is using IPSEC or every port is locked to a MAC-Address, and in which all hostnames are kept statically on the /etc/hosts file of every hosts.

[code]
Would the new feature of Solaris 10 privileges help me in any way?[/QUOTE]

Yes, but they would not work in a heterogeneous network (mixed with other OS's).
 

9 More Discussions You Might Find Interesting

1. Solaris

remotely Install netbackup on solaris

Hello - Could you please let me know where do I get the installer for installing netbackup on solaris 10 X86 ? along with the instructions? Thank you. (1 Reply)
Discussion started by: panchpan
1 Replies

2. Solaris

installing solaris securely

Ok, I am trying to install solaris, but I would like as a lean installation as possible (while still having a shread of functionality). If I chose the minimal install I have little if no utilities to do work on the box. My question is what installation method do most admins take? ... (7 Replies)
Discussion started by: liven
7 Replies

3. UNIX for Advanced & Expert Users

change passwd remotely in solaris 10

i'm trying to change passwd remotely in unix (solaris) and tried using "expect" but it is not working. Any ideas to change the passwd remotely using a shell script? (1 Reply)
Discussion started by: pharos467
1 Replies

4. Shell Programming and Scripting

How can i invoke SU command in shell script

Hi All , i am trying to switch user (from unix1 to unix 2 ) The user will give me the input and also the password . also how can i login into with the password . itried several attempts . no luck Can any one help on this !!! (4 Replies)
Discussion started by: raghav1982
4 Replies

5. Shell Programming and Scripting

invoke fork command

Hi, I have startup shell script called "xxxxx" for Jboss server which is taking more than expected timeline to complete the process, here I want to use the fork command to start the child process for non dependent component I have a scheduler called "yyyy" which is currently getting invoked... (2 Replies)
Discussion started by: harish76
2 Replies

6. Shell Programming and Scripting

Change root password remotely

Hi All, Hope you all doing well...!!! First of all i will like to share few information about my network. I have a network of 50 solaris servers sample IPs are (10.2.135.1 to 10.2.135.50).. i have created trust for root user of servers 1(10.2.135.1) in all other servers, that is i have shared... (4 Replies)
Discussion started by: varunksharma87
4 Replies

7. Solaris

Solaris 11 Express - cannot reboot remotely

I have installed Solaris 11 Express on my machine. I have problems trying to reboot the computer remotely. When I log to the local console as the root-user and run reboot everything is fine. But when I log in remotely from a Windows machine using putty and do the same, the computer... (3 Replies)
Discussion started by: RychnD
3 Replies

8. Shell Programming and Scripting

invoke this command after every 10 mins

Hi, I have an command which find the files modified within last 3 days and then after selecting the files from the location it make the tar format and send it to the specified destination ...now I want that this task to be automative ..that is it should happen after every 5 minutes ..plz guide me... (5 Replies)
Discussion started by: Neera
5 Replies

9. Solaris

How to remotely start ssh on Solaris?

Hi everyone, I have a Solaris machine: SunOS 5.10 Generic_127127-11 sun4v sparc SUNW,SPARC-Enterprise-T5220 After reboot, I can't ssh to this machine. Error message: ssh: connect to host xxxx port 22: Connection refused It seems ssh daemon is not running, but I don't have... (5 Replies)
Discussion started by: Zaiwen Gong
5 Replies

LEARN ABOUT REDHAT

mkxauth

mkxauth(1x)							Linux User's Manual						       mkxauth(1x)

NAME

       mkxauth - create and merge .Xauthority files

SYNOPSIS(1) mkxauth [ -q ] [ -u login ] -c [ host [ host ... ] ]

       (2) mkxauth [ -q ] [ -u login ] -m login(3) mkxauth [ -q ] [ -u login ] -f host(4) mkxauth [ -q ] [ -u login ] -r host [ -l login ]

       (5) mkxauth [ -q ] [ -u login ] -z host [ -l login ]

DESCRIPTION

       mkxauth	aids  in the creation and maintenance of X authentication databases (.Xauthority files).  Use it to create a ~/.Xauthority file or
       merge keys from another local or remote .Xauthority file.  Remote .Xauthority files can be  retrieved  via  FTP	(using	ncftp(1))  or  via
       rsh(1).	For a slight measure of security, mkxauth does not create any temporary files containing authentication keys (although anyone spy-
       ing on network packets can see the authentication key data as they pass	through  the  network;	for  secure  network  communications,  use
       ssh(1)).

   Creating and Adding to a .Xauthority File
       To  create  a .Xauthority file, use mkxauth -c (see(1) above).	mkxauth creates a .Xauthority file in the user's home directory (~/), con-
       taining a `key' or `magic cookie' for the host it was run on (the one returned by hostname(1)).	If a .Xauthority file already exists,  the
       keys are added to it.  If keys for that host already exist, they are replaced.

       To  create  or add to a .Xauthority file for another user, use mkxauth -u login -c.  mkxauth adds keys to ~login/.Xauthority (only the root
       user is allowed to do this).

       To add a key for more than one host, specify all hosts on the command line: mkxauth -c daffy porky bugs.  All hosts specified on  the  same
       command line receive the same key.  To create different keys for multiple hosts, run mkxauth for each host in succession:

	      mkxauth -c daffy
	      mkxauth -c porky
	      mkxauth -c bugs

   Merging Keys from Local .Xauthority Files
       To  merge keys from another local user's .Xauthority file, use mkxauth -m login (see(2) above).  mkxauth adds the keys in ~login/.Xauthor-
       ity to ~/.Xauthority, replacing any keys which already exist.  ~login/.Xauthority must be readable by the user  running	mkxauth  (normally
       only the root user can read other people's .Xauthority files).

   Merging Keys via FTP
       To  merge  keys from a remote .Xauthority file via FTP, use mkxauth -f host (see(3) above).  mkxauth retrieves the remote .Xauthority from
       host using ncftp(1) and adds those keys to ~/.Xauthority, replacing any keys which already exist.  [NOTE: you must have a ~/.netrc file set
       up to automatically log you into host, otherwise the FTP login attempt will fail.]

   Merging Keys via rsh(1)
       To  merge keys from remote .Xauthority file via rsh(1), use mkxauth -r host (see(4) above).  mkxauth retrieves the remote .Xauthority from
       host using rsh(1) and adds those keys to ~/.Xauthority, replacing any keys which already exist.	To login  as  a  different  user,  use	-l
       login.  [NOTE: you must have a .rhosts file set up properly for this to work, otherwise the remote login attempt will fail].

   Merging Keys via rsh(1) and gzip(1)
       If  your  remote  .Xauthority file is large, or to make it slightly less obvious that you're transferring authentication keys over the net-
       work, mkxauth can gzip(1) your .Xauthority file before retrieving it via rsh(1).  To do this, use mkxauth -z host (see(5) above).  mkxauth
       retrieves  the  remote .Xauthority from host using rsh(1) and adds those keys to ~/.Xauthority, replacing any keys which already exist.	To
       login as a different user, use -l login.  [NOTE: you must have a .rhosts file set up properly for this to work, otherwise the remote  login
       attempt will fail].

   Options
       To make mkxauth operate quietly, use the -q option.

       To add to ~login/.Xauthority, use the -u login option.

       To use login for the remote login in mkxauth -f, mkxauth -r, and mkxauth -z, use the -l login option.

   Getting Help
       To get quick help about mkxauth, use mkxauth --help.

FILES

       ~/.Xauthority
       ~/.netrc
       ~/.rhosts

COMMENTS

       mkxauth	is mostly useful for maintaining .Xauthority files in an environment which uses startx(1x).  xdm(1x) uses its own method of gener-
       ating .Xauthority files.  However, mkxauth is still useful for transferring .Xauthority information to remote login sessions  so  that  the
       user can display remote X clients on the local host without too much trouble.

       Note,  however,	that  using  rsh(1)  is  inherently  insecure,	and  sites  concerned  about  security	should	use  ssh(1)  instead  (see
       http://www.cs.hut.fi/ssh/ for more information).

SEE ALSO

       X(1x), Xsecurity(1x), gzip(1), mcookie(1), md5sum(1), ncftp(1), rsh(1), startx(1x), xauth(1x), xdm(1x)

BUGS

       Does not respect the XAUTHORITY environment variable.

AUTHOR

       Conceived and written by Jim Knoble <jmknoble@redhat.com>.  Copyright 1996 by Jim Knoble and Red Hat Software.  Distributed under  the  GNU
       GPL (General Public License); see ftp://prep.ai.mit.edu/pub/gnu/COPYING for more information.

Red Hat Software						    12-Dec-1996 						       mkxauth(1x)
All times are GMT -4. The time now is 10:47 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy