[sudo-users] Sudo Remote Hosts

Piete Brooks Piete.Brooks at cl.cam.ac.uk
Thu Oct 4 22:39:58 MDT 2018


>> If there are no upcoming plans to implement this option,
>> alternative suggestions to would be greatly appreciated.
> Supporting that requires that either the remote host trust the
> source host (allowing arbitrary commands via a root equivalent
> account or via an agent running on the remote host)

You can use sshd's "command=" to set the command which is run
when a particular user ssh key is used to access the rempte host.

That script can look at the supplied arguments, the calling
host, and the calling user (run identd on the calling host)
and restrict the commands which can be run to those which
it thinks root on the calling machine should be able to run.
(or you can do all the smarts in the remote host and not use sudo)

Needs a root-only-readable user ssh key on each calling hosts
so that sudo on the calling host can restrict who can do what
(if you want to use sudo on the calling host - otherwise,
readable by whoever you want to be able to run the commands),
an entry in ~root/.ssh/authorized_keys on the called host
(or ~otheruser/ if the job needs to run as some other user),
and a wrapper script to filter the allowed commands; but for
a handful of tasks, it should be doable.


More information about the sudo-users mailing list