OpenSSH: How do I set up to allow one user to access another user account w/o password prompting

97 views
Skip to first unread message

Brock Lynn

unread,
Jun 25, 2002, 11:29:34 PM6/25/02
to
Hi,

Here's what I am doing:
I have a script that runs after pppd/modem dials the ISP.
(I have pppd instruct the modem to report the connect bps rate
in a file.) The 'ip-up' script then runs:

export DISPLAY=:0
/usr/X11R6/bin/xmessage $(tail -1 /var/log/modemspeed) &

This used to work, and display the connect rate to me, each time I dialed
up the internet. (After I had my user account give <root> permission to access
the $DISPLAY, with the "xhost +localhost") However, now my X Window System,
after upgrading, uses xauth authentication...

So now, I have to use this:

xauth extract - $DISPLAY | ssh root@localhost xauth merge -

in order for root to be able to connect to the $DISPLAY

But each time I run it I have to type in the root password. Which is
kind of inconvenient... and cumbersome. I would like this to be automatic,
automated.

How can I set up OpenSSH so that my particular user account, (and of course ONLY
my particular user account) can run ssh to connect to the root account on the
same machine, without being prompted for a password?

Of course I run Debian/GNU Linux also. Woody.

PLEASE NOTE:
Please reply by email, as well as by usenet post, if you don't mind.
plato2...@yahoo.com

Thank you.

Brock Lynn
Bogalusa, LA

Kevin Buhr

unread,
Jun 26, 2002, 1:04:33 PM6/26/02
to
Brock Lynn <plato2...@yahoo.com> writes:
>
> So now, I have to use this:
>
> xauth extract - $DISPLAY | ssh root@localhost xauth merge -
>
> in order for root to be able to connect to the $DISPLAY

Instead of doing that, you should consider running "xmessage" as
yourself, like so:

DISPLAY=:0 /bin/su yourusername /usr/X11R6/bin/xmessage $(...) &

then, it'll pick up your X authorization automatically.

Alternatively, X applications will look at the XAUTHORITY environment
variable to find the name of the authorization file they should use
(and otherwise default to "$HOME/.Xauthority"). Since "root" can
obviously read any file, you can run:

DISPLAY=:0 XAUTHORITY=/home/yourusername/.Xauthority \
/usr/X11R6/bin/xmessage $(...) &

as "root", too. I favour the previous solution since it runs one less
program with privileges it doesn't need.

> How can I set up OpenSSH so that my particular user account, (and of course ONLY
> my particular user account) can run ssh to connect to the root account on the
> same machine, without being prompted for a password?

In my opinion, this isn't a good idea. It makes your system just that
much less secure.

As a rule of thumb, if there are little repetitive tasks that need to
be done by normal users but require root (or other) privileges, it's
better to use programs like "sudo" or "super". These programs are
designed to run commands on the same system with elevated privileges,
so they avoid all the overhead of network connection setup and
encryption associated with SSH. They also allow you to simply
restrict *who* can do *what* as *whom* in one convenient configuration
file. They're just better all around.

However, if you really want to set up SSH so user "alf" can log in
without a password as user "betty", you do it this way. First, as
user "alf", you create a new SSH key without a passphrase (i.e., with
a blank passphrase) using "ssh-keygen". Be careful not to write over
your normal, default key; put the new key in a different file, say
"/home/alf/.ssh/id_for_betty". Then, you add that key (the public
version written to "id_for_betty.pub") to the end of "betty"'s
"authorized_keys" file. Now, as user "alf", you can connect as user
"betty" without a passphrase provided you tell "ssh" to use the key
with the blank passphrase:

alf% ssh -i /home/alf/.ssh/id_for_betty \
-l betty localhost do_this_command

You can also share the "id_for_betty" keyfile with other users, and
they'll all be able to use this keyfile to log in, as "betty", without
a password.

--
Kevin Buhr <bu...@telus.net>

Reply all
Reply to author
Forward
0 new messages