SSH Help please!

B

Bernie

Expert Member
Joined
May 2, 2006
Messages
2,134
Reaction score
98
OK, here is the senario (I am new to this so if the answer is obvious please be gentle :p )

Server A - HP-UX 11.00 - 400 user accounts
Server B - Ununtu - Server 9.10

Problem - I need to remotely execute a command on the ubuntu server from the HP-UX server.

I have managed to do this for a single user as a proof of concept by using public/private rsa keys so no login/passwords required.

How can I achieve the above with 400+ users without having to setup and maintain the same 400 accounts on the ubuntu server and their relevant certificates - this is just not maintainable.

What I want is for ANY user on the HP-UX server to be able to ssh to the ubuntu server without any login or password.

All users on the HP-UX server share the same home directory so I am hoping this will make it easier.

Both servers are in the same room, same subnet behind same firewall, so if need be, I have no problem implemeting an "insecure" solution.

Hope this makes sense

Thanks

B.
 
Take the private key that you've generated (id_rsa or id_dsa)
Give all 400 users a copy of it, or access to it.

ssh -i <path to private key> <username on ubunu server>@<ip of ubuntu server>
 
Daffy beat me too it, but you should set the Ubuntu SSH server to deny from all IPs except the HP.

(Edit: You can also set all 400 users to use the same home dir in Ubuntu too)
 
You could try to use the same home directory mount for the Ubuntu server as well, or
you could play around with LDAP authentication. A combination of both would probably work best, i.e. authenticate, and get info for home directory from ldap.
I've started looking at http://directory.fedoraproject.org/ for single sign-on solution between Linux (RHES) and Solaris hosts with password sync to AD.
 
cbrunsdonza asked a relevant question as well. If users are signing on manually to do work, getting them to sign in using daffy's method could be a bit problematic. A simple bash script to run that line, and called something simple like sshLogin would be useful.

i.e sshLogin serverName

could handle the issue nicely. But again this is only needed if the users are manually using the ssh session.
 
I'm trying to wrap my head around this, why would you not want them to enter a username and password?

The easiest and safest way is surely to create a restricted user account on the ubuntu server and share these details with the other 400, they only need to remember a username and a simple password?

Why not just create a user on the server B (ubuntu) with an easy as pie password, since security does not seem to be high on the priority list?

Example: user - work
pass - work

This way you have way more control since you only need to maintain one account on the Ubuntu server and you can restrict or modify it as you see fit making it much more secure. For example you can allow only certain commands to be executed by user <work> and, for example, disable system critical commands.
 
cbrunsdonza said:
What do they need to do on the Ubuntu server? Run scripts; Access files?
Click to expand...

Hi

The HP-UX server is used run a cobol application. The cobol application needs to run a script on the ubuntu server, that script will actually run some java stuff. The call to the ubuntu server will be done as the user. I would like that call to be as transparent as possible to the users. As mentioned, I got it to work with 1 user.

Thanks for all the replies so far, I will try out some of what was suggested, except re-creating the 400+ users on the ubuntu box :-)
 
Bernie said:
I have managed to do this for a single user as a proof of concept by using public/private rsa keys so no login/passwords required.
Click to expand...

I'm not sure if this will work, but this is what I did (on a *much* smaller scale):

1. I copied my public key (id_rsa) to each user's .ssh directory. (Make certain that you do a "chmod 600 id_rsa".)

[-]2. On my server (Ununtu - Server 9.10 in your case), there was only one (proof of concept) user in "authorized_keys" so it was easy for me to copy and paste, only changing the user name (append):
E.g.:
ssh-rsa AAAABN3Nza..........................+DkAzqn9v mike@mydomain
ssh-rsa AAAABN3Nza..........................+DkAzqn9v pete@mydomain
ssh-rsa AAAABN3Nza..........................+DkAzqn9v mary@mydomain
...
You will probably need a script to do this for 400 users.[/-]
 
Last edited:
Thanks for all the replies so far, I will try out some of what was suggested, except re-creating the 400+ users on the ubuntu box :-)
Click to expand...
Why do you need to create 400+ users on Ubuntu, you only need to create ONE user and share this details with the others, then everyone can log in as:
ssh work@<server address>
Password:xxxxxxxxxxx

That is that.
 
Simple solutions are often the best to implement. I'd also go with the single user account.. If they all get the same privileges and have the same needs, you only need one account. Why have 400 copies of the same thing. That is just 400 times the work imo..
 
adrianx said:
I'm not sure if this will work, but this is what I did (on a *much* smaller scale):

1. I copied my public key (id_rsa) to each user's .ssh directory. (Make certain that you do a "chmod 600 id_rsa".)

2. On my server (Ununtu - Server 9.10 in your case), there was only one (proof of concept) user in "authorized_keys" so it was easy for me to copy and paste, only changing the user name (append):
E.g.:
ssh-rsa AAAABN3Nza..........................+DkAzqn9v mike@mydomain
ssh-rsa AAAABN3Nza..........................+DkAzqn9v pete@mydomain
ssh-rsa AAAABN3Nza..........................+DkAzqn9v mary@mydomain
...
You will probably need a script to do this for 400 users.
Click to expand...

What you're calling the "username" is just an identifier for the key.
A single entry will do, since the key is the same.
 
If you don't need to know who did what, the single user route will work. Personally, I want to who sudo'ed to what user, or logged in on what system.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X