moin, moin,
I think I mailed the list about this feature when I found out about it a
couple of months ago. Theo's got a good example authorized_keys entry at the
end. Good quote from Donald Knuth as well.
ciao,
der.hans
--
# https://www.LuftHans.com/ http://www.TOLISGroup.com/
# The Internet is the front line of the battle
# to protect our freedom. -- Nathaniel Borenstein
---------- Forwarded message ----------
Date: Fri, 8 Nov 2002 15:20:44 -0500
From: Theo Van Dinter <
felicity@kluge.net>
To: Sage Mailing List <
sage-members@usenix.org>
Subject: Re: [SAGE] Monitoring NT systems using open or free tools?
On Fri, Nov 08, 2002 at 12:08:04PM -0800, Benjamin Feen wrote:
> Ooh! Ooh! I just learned a cool thing! I wanna share it with the class!
>
> You can make it so that sshing to a particular account using a particular
> key executes a predefined command.
>
> This looks like a really, really good way to do automated remote checks
> for network monitoring. I'm preparing to implement Nagios, and I'm probably
> going to be using this for many things.
At a former employer we were doing work with Netsaint (Nagios wasn't
quite ready when we started) where we would SSH to a machine to do the
remote checks for disk, processes, etc. The problem with the command=
bit in authorized_keys is that you can only specify a single command.
But before you think you need a key per monitor, what we ended up doing
was calling a script that used the $SSH_ORIGINAL_COMMAND variable which
has the original command given to ssh. That script then verified that
the command was valid, did some other security things, and executed the
proper monitor.
Here's the authorized_keys entry I used BTW, it just limits what can
run and from where it can run:
from="1.2.3.4",command="/path/to/mux/script",no-port-forwarding,no-X11-forwarding,no-agent-forwarding <KEY>
--
Randomly Generated Tagline:
"I decry the current tendency to seek patents on algorithms. There are
better ways to earn a living than to prevent other people from making use of
one's contributions to computer science." - Donald E. Knuth