SUMMARY: remote exec

From: Ladislav Kostal <>
Date: Tue Nov 27 2001 - 11:28:04 EST
Thanks to Stephen Harris, Nick Hindley, Julian Simpson, Michael Groisman, Ed
Rolison, Markus Wildemann, Eduardo Sanchez.


Recomended (and probably most secure) way is using public-key authorization
in ssh. I make it working this way:

I need to execute "mkdir /home/newuser" from server A as nobody (using web
page) on server B

1) enable shell (just for creating .ssh2 directory for the first time) and
real homedir for nobody on A
2) create private and public key:  ssh-keygen2 -P   (don't ask for password)
3) rename created id_dsa... to serverA
4) rename created to
5) create $HOME/.ssh2/identification with this line:     idkey  serverA
6) now you can disable shell for nobody, but keep home dir! (ssh needs it)
7) add user power_u on server B with shell /usr/bin/pfcsh
8) add this line to /etc/user_attr on server B:
power_u::::type=normal;profiles=Power User
9) add this line to /etc/security/exec_attr on server B:   Power
10) create script /usr/local/bin/createuser, which will be run under uid 0,
when executed by power_u:
      mkdir /home/aaaaa
11) copy to /home/power_u/.ssh2/ on server B
12) add this line to /home/power_u/.ssh2/authorization on server B:     key
13) create web page on server A, e.g.:

#!/usr/bin/perl -w

use strict;
use CGI;
my $q = new CGI;

print $q->header, $q->start_html;
open (F,"/usr/local/ssh2/bin/ssh2 power_u\@serverB
/usr/local/bin/createuser") or print $!;
print $q->end_html;

14) test it:) - now it should be directory /home/aaaaa on serverB
15) If you need to place keys elsewhere on server A, add option -i
/path/to/identification/file to ssh and add full path to idkey in this file
to serverA file
16) I've used another user (power_u), because he can run just one command as
root and I don't want to allow root to ssh.

That's all.

If you have any comments to this (security, functional), please mail me.

Ladislav Kostal


How can I remotely exec some command as a root?
Example: I have 2 servers - A is administrative server, B is server for
I need to create account on server B from server A. I knww about using ssh
and public-key authorization for this, but is it secure enough or is there
something better?


I forgot to add, that I need to run command from web pages - e.g.
administrative scrips for creating users on other server. As the web server
runs as nobody user, how to use public-key authorization (no-passphrase)?

server A (nobody) -> server B (root)
e.g. (nobody) -> mkdir /home/user1 (root)
Received on Tue Nov 27 16:28:04 2001

This archive was generated by hypermail 2.1.8 : Wed Mar 23 2016 - 16:32:36 EDT