You are not logged in.

#1 2008-09-25 05:27:08

pseudonomous
Member
Registered: 2008-04-23
Posts: 349

[SOLVED] Would like to allow a user to remotely reboot my box [SOLVED]

Hello,

Here's my problem, I've got two boxes gypsy and crow and gypsy has a habit of having the display lockup, I don't think the system is completely locked up so I'm pretty sure I can ssh and reboot it (since I set up ssh on gypsy, the box hasn't actually locked up, though, so I don't know for sure)

Becuase I'm paranoid, I don't want to allow ssh into gypsy to do anything BESIDES reboot, so I'm interested in what's the best way to implement this.  I could stick the reboot command into .bash_profile for my dedicated reboot user, but if you're fast enough w/ ^c you (where you are, presumably, automated cracking software) could, concievably, kill the process before it's done running, and end up logged in. 

This is going to be continued in a browser that isn't links.

Edit: Continued:

So I tried writing a shell script

#!/bin/bash
sudo reboot

and using that script as the login shell for the dedicated reboot user ("rebooter"), but I would get a permission denied error when I tried to login as the user then.  (My sudoers file allows the user "rebooter" to run reboot w/o a passwd).  So it seems like in princple you could make this work, I'm just doing somthing wrong.

But this raises another question, could I still manage to login to bash by interupting this script?  I don't think so, becuase in this instance bash is not running interactively, please tell me if I"m wrong.

Is there maybe a better way to set this up?  Maybe there's something I can do with the config to sshd to force login by the "rebooter" to force a reboot? 

I guess there might also be some way for me to set things up with chroot so that if you managed to login as "rebooter" you couldn't do anything meaningful besides reboot anyway, but I haven't looked into this yet.  If this is the best answer, go ahead and tell me to rtfm, but first I'd like to know if there's a simpler solution.

Last edited by pseudonomous (2008-09-27 00:57:23)

Offline

#2 2008-09-25 09:23:59

my0pic
Member
From: Melbourne, Australia
Registered: 2008-05-23
Posts: 206

Re: [SOLVED] Would like to allow a user to remotely reboot my box [SOLVED]

I think what you need is to look into using key-based authentication to ssh into gypsy. I believe you can modify the authentication key to only accept a specific command to be run.

Offline

#3 2008-09-25 12:52:23

chimeric
Member
From: Munich, Germany
Registered: 2007-10-07
Posts: 254
Website

Re: [SOLVED] Would like to allow a user to remotely reboot my box [SOLVED]

myOpic is right. You could use a custom key for your "reboot-user" and specify a command which is run when someone authenticates with this specific key, as well as denying the allocation of tty.

Offline

#4 2008-09-25 13:47:05

robmaloy
Member
From: Germany
Registered: 2008-05-14
Posts: 263

Re: [SOLVED] Would like to allow a user to remotely reboot my box [SOLVED]

did you chmod +x your "script"? :>


edit: what do you mean by "display lockup"?

Last edited by robmaloy (2008-09-25 13:51:12)


☃ Snowman ☃

Offline

#5 2008-09-25 13:53:07

carlocci
Member
From: Padova - Italy
Registered: 2008-02-12
Posts: 368

Re: [SOLVED] Would like to allow a user to remotely reboot my box [SOLVED]

you could change the user shell to something like this

carlocci:x:1000:100:sig. carlocci,,,:/home/carlocci:/usr/bin/sudo shutdown now -r

or

carlocci:x:1000:100:sig. carlocci,,,:/home/carlocci:/bin/bash -c sudo shutdown now -r

Offline

#6 2008-09-25 19:15:14

dschrute
Member
From: NJ, USA
Registered: 2007-04-09
Posts: 183

Re: [SOLVED] Would like to allow a user to remotely reboot my box [SOLVED]

Personally I would use Webmin for this rather than ssh.  You can very easily create a Webmin only ( no shell access ) user that has access only to reboot your machine via Webmin, and can also restrict the default ( admin/root ) Webmin user from logging in from anywhere except the localhost.  This effectively limits remote Webmin access to rebooting and nothing else.  Webmin's built-in ACL's and customized access are really quite good, and allow for some rather creative restrictions.

In short you create a "Custom Command" in Webmin that reboots the system, create a user, assign only that custom command to the new user, then restrict where the default/admin user may login from.  You should also restrict the settings on the custom command to prevent the user from making any changes.

I've done exactly this for users that needed to do simple tasks like clear print queues and restart a flakey daemon, and it has worked perfectly for me.

Offline

#7 2008-09-25 20:02:36

pseudonomous
Member
Registered: 2008-04-23
Posts: 349

Re: [SOLVED] Would like to allow a user to remotely reboot my box [SOLVED]

carlocci wrote:

you could change the user shell to something like this

carlocci:x:1000:100:sig. carlocci,,,:/home/carlocci:/usr/bin/sudo shutdown now -r

or

carlocci:x:1000:100:sig. carlocci,,,:/home/carlocci:/bin/bash -c sudo shutdown now -r

I tried this, and it didn't work, I think it gave me "permission denied" errors, so I wonder if I got the syntax wrong.  what I was doing was using "usermod -s " to try and change the shell and I was confused as to how to properly put the white space in you need to run the command "sudo reboot".

Thanks, everybody for your suggestions, I will look more into an ssh key based-authentication.  I don't really want to run webmin becuase I don't need to any remote administration besides rebooting, so webmin seems like overkill.   I will report back after trying to set this up.

When I say "display locks up" I mean that, for some reason, either after boot or after I end a window manager session, my screen turns black and it looks like X is trying to restart but failing (there's a change in the shading on my monitor I associate with that)  hitting control alt backspace doesn't help and trying to switch to one of the consoles doesn't work either.  But I don't think the system is dead becuase I can toggle numlock and scrolllock on and off.  (Which doesn't work when X completely freezes)  I can't replicate this behavior on demand, it seems to occur more or less randomly.

Offline

#8 2008-09-25 20:49:19

tesjo
Member
Registered: 2007-11-30
Posts: 164

Re: [SOLVED] Would like to allow a user to remotely reboot my box [SOLVED]

You seem to have a display and keyboard conencted. Is this box local? Why not use the power button if the goal is to reboot.
Just curious about your setup.

Offline

#9 2008-09-25 21:15:49

carlocci
Member
From: Padova - Italy
Registered: 2008-02-12
Posts: 368

Re: [SOLVED] Would like to allow a user to remotely reboot my box [SOLVED]

pseudonomous wrote:
carlocci wrote:

you could change the user shell to something like this

carlocci:x:1000:100:sig. carlocci,,,:/home/carlocci:/usr/bin/sudo shutdown now -r

or

carlocci:x:1000:100:sig. carlocci,,,:/home/carlocci:/bin/bash -c sudo shutdown now -r

I tried this, and it didn't work, I think it gave me "permission denied" errors, so I wonder if I got the syntax wrong.  what I was doing was using "usermod -s " to try and change the shell and I was confused as to how to properly put the white space in you need to run the command "sudo reboot".

It looks like you can't have spaces: you just need to create a script with the commands you want to issue

Offline

#10 2008-09-25 22:59:29

pyther
Member
Registered: 2008-01-21
Posts: 1,395
Website

Re: [SOLVED] Would like to allow a user to remotely reboot my box [SOLVED]

or if you wanted to, though this is a security risk you can set chmod +s /usr/bin/reboot, which I believe will allow reboot to run as a user, however the safest would be to dow hat carlocci suggested

#!/bin/bash
echo "Rebooting System...."
sudo /usr/bin/reboot
#sudo /usr/bin/shutdown now -r

Either command would work, just insure that you correctly modify /etc/sudoers


Website - Blog - arch-home
Arch User since March 2005

Offline

#11 2008-09-27 00:56:42

pseudonomous
Member
Registered: 2008-04-23
Posts: 349

Re: [SOLVED] Would like to allow a user to remotely reboot my box [SOLVED]

So I wrote the script, as suggested above, and it works.  This is what I originally tried, but I must've had either a typo or permissions set wrong somewhere.

Thanks everybody for your hep!

I will still look into having a key-based authentication action in ssh becuase I might want to use this type of thing for something in the future.

Offline

#12 2008-09-27 05:43:57

abowlt1990
Member
From: Australia
Registered: 2008-09-20
Posts: 15

Re: [SOLVED] Would like to allow a user to remotely reboot my box [SOLVED]

Hey,

I am pretty sure that you could just allow ssh from ip addresses on your local network using the '/etc/hosts.allow' file. Here is a link to the necessary documentation. If the computer you would like to use to access gypsy is not local, then i suggest using key authentication, it is very easy to get started with.

Hope this helps

Ash

Offline

Board footer

Powered by FluxBB