csp_scp_keep_mode(1) [debian man page]
csp_helper(1) USER COMMANDS csp_helper(1) NAME csp_helper - A collection of caspar helper scripts SYNOPSIS csp_install dir (directory) file (file) csp_mkdircp dir (directory) file (file) csp_scp_keep_mode h ([user@]host) dir (directory) file (file) csp_sucp h ([user@]host) dir (directory) file (file) DESCRIPTION The scripts csp_install, csp_mkdircp, csp_scp_keep_mode and csp_sucp are helpers for caspar(7). These scripts typically are not invoked directly, but via a Makefile which uses caspar. See the notes on csp_PUSH in caspar(7) for information on how to link csp_install, csp_scp_keep_mode and csp_sucp to caspar. install DESCRIPTION csp_install creates the required directory (if needed) and installs the file, preserving timestamps. It uses install(1). install EXAMPLES csp_INSTALL_OPTIONS='--owner=www-data --group=www-data' csp_INSTALL_MODE=ugo=r csp_install /srv/www index.html csp_INSTALL_MODE=u=rwx,go= csp_install /usr/local/sbin mkpasswd install ENVIRONMENT csp_install honors csp_INSTALL_OPTIONS and csp_INSTALL_MODE (default is u=rw,go=r). mkdircp DESCRIPTION csp_mkdircp calls mkdir(1) and cp(1). scp_keep_mode DESCRIPTION csp_scp_keep_mode uses ssh to copy a file to a remote host, keeping its file permission mode. The trick used is a combination of mktemp(1) and mv(1). Useful if you'd like to be sure a file gets installed e.g. group writable, without fiddling with permission bits on the remote host. scp_keep_mode EXAMPLE chmod g+w rc csp_scp_keep_mode root@gandalf /etc/uruk rc scp_keep_mode ENVIRONMENT csp_scp_keep_mode honors csp_SSH ("ssh" by default). sucp DESCRIPTION csp_sucp calls cat(1) from within sudo(1) from within ssh(1). This allows one to copy files to accounts on hosts one can only reach by call- ing sudo on the ssh-reachable remote host. Typically, one wants to install a root-owned file, but one does not want to allow access to the root-account directly from ssh. Typically sudo is used as an extra line of defense. sucp EXAMPLES Some examples: csp_sucp rms@bilbo /etc fstab csp_sucp monty-python commit/ trailer.txt sucp BUGS If NOPASSWD is not set in the sudoers(5) file, and one's timestamp is expired, csp_sucp will forward the sudo password prompt. The given password will be echoed on the console! AUTHOR Joost van Baal-Ili SEE ALSO caspar(7) The caspar homepage is at http://mdcc.cx/caspar/ . csp_helper 20120514 14 mai 2012 csp_helper(1)
Check Out this Related Man Page
pam_ssh_agent_auth(8) PAM pam_ssh_agent_auth(8) PAM_SSH_AGENT_AUTH This module provides authentication via ssh-agent. If an ssh-agent listening at SSH_AUTH_SOCK can successfully authenticate that it has the secret key for a public key in the specified file, authentication is granted, otherwise authentication fails. SUMMARY
/etc/pam.d/sudo: auth sufficient pam_ssh_agent_auth.so file=/etc/security/authorized_keys /etc/sudoers: Defaults env_keep += "SSH_AUTH_SOCK" This configuration would permit anyone who has an SSH_AUTH_SOCK that manages the private key matching a public key in /etc/security/authorized_keys to execute sudo without having to enter a password. Note that the ssh-agent listening to SSH_AUTH_SOCK can either be local, or forwarded. Unlike NOPASSWD, this still requires an authentication, it's just that the authentication is provided by ssh-agent, and not password entry. ARGUMENTS
file=<path to authorized_keys> Specify the path to the authorized_keys file(s) you would like to use for authentication. Subject to tilde and % EXPANSIONS (below) allow_user_owned_authorized_keys_file A flag which enables authorized_keys files to be owned by the invoking user, instead of root. This flag is enabled automatically whenever the expansions %h or ~ are used. debug A flag which enables verbose logging sudo_service_name=<service name you compiled sudo to use> (when compiled with --enable-sudo-hack) Specify the service name to use to identify the service "sudo". When the PAM_SERVICE identifier matches this string, and if PAM_RUSER is not set, pam_ssh_agent_auth will attempt to identify the calling user from the environment variable SUDO_USER. This defaults to "sudo". EXPANSIONS
~ -- same as in shells, a user's Home directory Automatically enables allow_user_owned_authorized_keys_file if used in the context of ~/. If used as ~user/, it would expect the file to be owned by 'user', unless you explicitely set allow_user_owned_authorized_keys_file %h -- User's Home directory Automatically enables allow_user_owned_authorized_keys_file %H -- The short-hostname %u -- Username %f -- FQDN EXAMPLES
in /etc/pam.d/sudo "auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys" The default .ssh/authorized_keys file in a user's home-directory "auth sufficient pam_ssh_agent_auth.so file=%h/.ssh/authorized_keys" Same as above. "auth sufficient pam_ssh_agent_auth.so file=~fred/.ssh/authorized_keys" If the home-directory of user 'fred' was /home/fred, this would expand to /home/fred/.ssh/authorized_keys. In this case, we have not specified allow_user_owned_authorized_keys_file, so this file must be owned by 'fred'. "auth sufficient pam_ssh_agent_auth.so file=/secure/%H/%u/authorized_keys allow_user_owned_authorized_keys_file" On a host named foobar.baz.com, and a user named fred, would expand to /secure/foobar/fred/authorized_keys. In this case, we specified allow_user_owned_authorized_keys_file, so fred would be able to manage that authorized_keys file himself. "auth sufficient pam_ssh_agent_auth.so file=/secure/%f/%u/authorized_keys" On a host named foobar.baz.com, and a user named fred, would expand to /secure/foobar.baz.com/fred/authorized_keys. In this case, we have not specified allow_user_owned_authorized_keys_file, so this file must be owned by root. v0.8 2009-08-09 pam_ssh_agent_auth(8)