[TriLUG] Remote Execution using remctl

Ron Kelley via TriLUG trilug at trilug.org
Wed Sep 2 10:09:36 EDT 2015 

Thanks John.

Maybe that is the gap I have.  Traditionally, I create the authorized_keys file with the remote users.  However, this means the user can run any allowed (i.e.: root on remote server can run *any* command).  I need the ability to limit what the remote user can run.  In my case, I need the ability to run openvz commands (vzctl, etc) via root on a remote system.  But, I want to make sure root can’t run all commands in case my admin server gets compromised.

Guess I need to do some more research on ssh.

Thanks for the tip!

-Ron



On Sep 2, 2015, at 9:10 AM, John Vaughters <jvaughters04 at yahoo.com> wrote:

> Ron,
> 
> I am trying to figure out why you would pass on ssh. It allows for a subsystem of commands, users and hosts. I am not sure how you could get more granular than ssh features, they are pretty rich. You can configure ssh to allow a user from a host and only allow a limited number of commands that you choose. The commands can be custom commands that do not even relate to linux. Meaning you create your own scripts and make them available. There really is a ton of options with ssh if you look into the options, it is quite an amazing tool that is highly customizable and secure.
> 
> John Vaughters
> 
> 
> 
> On Wednesday, September 2, 2015 8:52 AM, Ron Kelley via TriLUG <trilug at trilug.org> wrote:
> 
> 
> Greetings all,
> 
> I am trying to setup an environment whereby an admin server can run commands remotely on another server w/out using SSH (think automation with no interaction).  I know I can setup password-less SSH via the “authorized_keys” file, but I prefer a more granular approach to specify which users/commands can be run.
> 
> In my searching, I ran into a tool called “remctl” which seems to do what I want.  Essentially, you create a config file on the client server specifying the remote server, remote username, and command(s) to allow.  However, remctl requires some sort of Kerberos configuration - something I know nothing about.
> 
> I was wondering if anyone had experience getting remctl running on CentOS and could share some advice.  Or, perhaps, suggest an alternative to remctl.
> 
> Thanks.
> 
> -Ron
> -- 
> This message was sent to: John Vaughters <jvaughters04 at yahoo.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web    : http://www.trilug.org/mailman/options/trilug/jvaughters04%40yahoo.com
> Welcome to TriLUG: http://trilug.org/welcome
>

More information about the TriLUG mailing list