Red Hat/Fedora - rights assignment 1

[gmail2]

Hi all

we have several Linux based web servers at our sure. The servers are generally maintained by a 3rd party company so I dint deal with them that much or know much about Linux other than basic commands ls, shutdown etc etc).

We have some scheduled power outages coming up soon at our site. In trying to script all the server shutdowns rather than logging onto each server just to shut it down. I can do this with out Linux servers by passing command line options to PuTTY

so far, all is well. However, the only accounts that get used on these servers are the root accounts. I'd like to do create a new account fir this purpose and do the following:
- Give the account enough right to SSH to the server & shut it down. I dint want to give it root access
- make the account expire the day after the shutdown so that it can't be used as a potential DoS attack later

this would enable me to put the password in the script and not worry about it getting exposed

if this isn't possible, does anybody know if it's possible to encrypt the password when being passed to PuTTY ? Or an alternative SSH client that will run on Windows & allow me to do this ?

I know that Randy Franklin Smith had a webcast a few months ago about delegating rights on Linux boxes, but unfortunately I can't find this now

thanks in advance for any help

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau

 

[RhythmAce]

You can schedule a cron job on each server to shutdown at a date and time specified.

 

[gmail2]

Nice suggestion RhythmAce but unfortunately we can't schedule this. We need to start the shutdown when given the "go ahead" and schedule tasks wouldn't give us enough control ... too early and we risk kicking out users ... too late and we're sitting around waiting fit the script to run. I wish it were this simple ... I could do the same with my windows servers then & finish work @5.00 on Friday !!

Any other suggestions ?

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau

 

[TrojanWarBlade]

I'm not sure I agree with your thinking here but to answer your question you could setup a dumb user account and give it access to a shutdown using sudo.
I would recommend you test your settings on a non-live machine first if at all possible.

HTH.


Trojan.

 

[gmail2]

Thanks for the reply Trojan. I'm not very familiar with sudo - but what is your suggestion exactly ? Is it something like:

login: a_user
password: ******
> sudo root
> password: ***********
> shutdown -h -t 0

Would this work with a script ? How would I handle the password prompt at the sudo command ? In essence, what I'm looking for is the Linux equivalent of user rights assignments in Windows. Does such a thing exist ?

I'm not sure I agree with your thinking here

Just to humour me ... which part do you not agree with ?

Thanks again

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau

 

[TrojanWarBlade]

sudo is a tool that allows you to configure extra permissions to a normal user account.
So, in this case, we would take a user account like "newuser" and add the ability to run /sbin/shutdown.
To do this, as root, you type "visudo" (I'm assuming you're ok with "vi" here) and add an entry to the bottom something like this:

newuser    ALL = NOPASSWD: /sbin/shutdown

Then, whenever you log into that machine again as "newuser" you can run the shutdown command like this:

sudo /sbin/shutdown -h -t 0

Ok, why do I not agree with this?
If you were creating an account that would have a long term use then ok. I might even suggest creating a shutdown account that automatically shuts down the machine (after the obvious user password and maybe a subsequent double check ala windoze) but to go to this trouble for a one-off seems overkill.
How difficult is it to simply su to root and then issue the shutdown?
I must say that all my machines have sudo configured quite heavily and I vary rarely use root at all.

Anyway, regardless, hopefully this helps.



Trojan.

 

[gmail2]

Thanks for the reply Trojan. I'm not very familiar with configuring sudo so I think I'll have to have a play around on a test box like you suggested before I implement it

As for the fact that this is alot of trouble ... we actually have scheduled power outages quiet frequently (2 in the next 6 weeks) so it will be worth our while long term if I can get it to work via script. The reason for wanting to delegate the rights is because I don't want to embed the root password in my script, for obvious reasons.

And using su would mean (as far as I know) that we couldn't script it ... or at best, embed the root password in the script.

I did find the following actually which seems to suggest that Red Hat has a "shutdown" account built in. Do you know anything about this ?

http://www.cyberciti.biz/tips/shutdown-account-to-shutdown-linux-server.html

Thanks again

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau

 

[TrojanWarBlade]

I've never noticed that before but checking my RedHat system now I can see a shutdown account as described.

I've never used it before so cannot comment on it but it looks and sounds ideal for your purpose.

It was actually what I was eluding to when I suggested a dedicated account that has shutdown as it's "shell" although I didn't realise one already existed when I suggested that.

If it's an account you'll use again and again then it makes sense to have it available.

Also I would suggest you setup public key encryption (if you have not already) for your putty connections if you can to enhance your security and to always have a passphrase on all keys.

In terms of having this account available, if you have a general schedule for these shutdowns, you could have a process that makes the account available for those days only and disables it at the end of each of those days.

Anyway, hope that helps a little.

Best of luck with it and let us know how you get on.







Trojan.

 

[gmail2]

Yea, I think I'll have a look at that shutdown account ... sounds like it's what I'm after alright, and my idea is like you suggested to just have it enabled when necessary.

As for the PKI ... ssh is enabled on the box, but as I understand it this doesn't necessarially mean that it's using public keys, is that right ? In an "out of the box" setup with ssh enabled, is the ssh key just based on the hostname ? Also, what did you mean by "always have a passphrase on all keys"

Sorry ... I know it's nothing to do with the original post.

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau

 

[TrojanWarBlade]

Oh dear!
Here we go again! ;-)
Ok, with ssh there are a number of ways that the server can authenticate the user. The obvious is with a normal password.
Although this works the security is quite poor especially if the passwords are not chosen wisely.
A far more secure way is to use public key encryption and that is *not* usually the default setup.
This requires that the server *and* the client machines are configured with machine generated keys. This is much more secure but you can configure the keys to require passphrases for use or to be passphraseless.
My machines are all configured to *only* accept public key authentication, and *only* version 2 (which is much more secure than version 1) and the only keys I allow have passphrases.
It's not an absolute guarantee but it's probably about as safe as you can sensibly get without an investment in extra security hardware.



Trojan.

 

[gmail2]

Ha Ha

thanks for the info. I'll let you know how it goes with using the shutdown account

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau