[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnu-arch-users] RFC: arch protocol, smart server, and tla implement
From: |
Andrew Suffield |
Subject: |
Re: [Gnu-arch-users] RFC: arch protocol, smart server, and tla implementation prototypes |
Date: |
Fri, 30 Jan 2004 21:51:24 +0000 |
User-agent: |
Mutt/1.5.5.1+cvs20040105i |
On Fri, Jan 30, 2004 at 09:42:11PM +0000, Scott Parish wrote:
> I did some initial looking around this morning and found that you can
> specify in a user's authorized_keys file a specific program to be
> executed as their "shell", and won't allow overriding that; the same can
> prevent pty usage, port/x11 forwarding, etc.
>
> Thinking out loud...
>
> What would be really nice is if an ssh user could allow for subusers,
> kind of like the whole dot-qmail thing. As an example, i could define
> srp-anonymous and srp-srp. Those two subusers would be authenticated
> based off some mechanism which i (srp) defined somewhere in my ~/.ssh/
> directory (auth against flat file or database or pub keys file ...).
> Those users i could also lock down, so that they can only run certain
> subsystems and the like.
>
> When a user successfully authenticates as a subuser, sshd will setuid to
> the owning user ("srp"), and then set an environment variable VUSER to
> the subuser ("anonymous" or "srp") before execing the subsystem or shell
> or whatever.
>
>
> Would this be useful, or would i be wasting my time looking into doing
> such? Also, is this a solid design, or have i overlooked something?
Get an ssh public key from each person. Put it in your
.authorized_users, with the stuff you mentioned above. It'll run
whatever script you want. You just described something like
"env VUSER=anonymous foo".
This technique is fairly commonly used for ssh-based triggers (like
"Start the rsync mirror now").
--
.''`. ** Debian GNU/Linux ** | Andrew Suffield
: :' : http://www.debian.org/ |
`. `' |
`- -><- |
signature.asc
Description: Digital signature
- Re: [Gnu-arch-users] RFC: arch protocol, smart server,, (continued)
- Re: [Gnu-arch-users] RFC: arch protocol, smart server, and tla implementation prototypes, Scott Parish, 2004/01/30
- Re: [Gnu-arch-users] RFC: arch protocol, smart server, and tla implementation prototypes, Robin Green, 2004/01/30
- Re: [Gnu-arch-users] RFC: arch protocol, smart server, and tla implementation prototypes, Tom Lord, 2004/01/30
- Re: [Gnu-arch-users] RFC: arch protocol, smart server, and tla implementation prototypes, Colin Walters, 2004/01/30
- Re: [Gnu-arch-users] RFC: arch protocol, smart server, and tla implementation prototypes, Scott Parish, 2004/01/30
- Re: [Gnu-arch-users] RFC: arch protocol, smart server, and tla implementation prototypes,
Andrew Suffield <=
- Re: [Gnu-arch-users] RFC: arch protocol, smart server, and tla implementation prototypes, Scott Parish, 2004/01/30
- Re: [Gnu-arch-users] RFC: arch protocol, smart server, and tla implementation prototypes, Andrew Suffield, 2004/01/30
- Re: [Gnu-arch-users] RFC: arch protocol, smart server, and tla implementation prototypes, Scott Parish, 2004/01/30
- Re: [Gnu-arch-users] RFC: arch protocol, smart server, and tla implementation prototypes, Colin Walters, 2004/01/30
- Re: [Gnu-arch-users] RFC: arch protocol, smart server, and tla implementation prototypes, Jan Hudec, 2004/01/31
- Re: [Gnu-arch-users] RFC: arch protocol, smart server, and tla implementation prototypes, Momchil Velikov, 2004/01/31
- Re: [Gnu-arch-users] RFC: arch protocol, smart server, and tla implementation prototypes, Jan Hudec, 2004/01/31
- Re: [Gnu-arch-users] RFC: arch protocol, smart server, and tla implementation prototypes, Momchil Velikov, 2004/01/31
- Re: [Gnu-arch-users] RFC: arch protocol, smart server, and tla implementation prototypes, Jan Hudec, 2004/01/31
- [Gnu-arch-users] Re: RFC: arch protocol, smart server, and tla implementation prototypes, Warren Turkal, 2004/01/31