i am using the sshd_config variable PermitUserEnvironment
#/etc/ssh/sshd_config
PermitUserEnvironment yes
to set something like "REALUSERNAME" on every key in the /root/.ssh/authorized_keys file.
#/root/.ssh/authorized_keys
environment="REALUSER=custom_value" ssh-rsa AAAAB3....
But i have trouble accessing the value in the script triggered by pam_exec in /etc/pam.d/sshd
my best guess is that the pam script is executed before the environment variables are set? So what are my options?
i tried pam_env
#/etc/security/pam_env.conf
PAM_REALUSER DEFAULT="unkonwn" OVERRIDE=${REALUSER}
this is the custom part of my pam.d/ssh file
#/etc/pam.d/sshd
session required pam_env.so readenv=1
session optional pam_exec.so seteuid /usr/local/bin/scripts/my_script
even vars like SSH_CONNECTION seem not to be available which feels odd to me. The information must surely be avaible at the time of script executing but the variable is not set or i am doing it wrong.
i used to (successfully) trigger the script within /etc/profile so i am very confident that the issue is not within my custom script
But I have trouble accessing the value in the script triggered by pam_exec in /etc/pam.d/sshd
my best guess is that the pam script is executed before the environment variables are set? So what are my options?
Yes, you are right. The environment variables from authorized keys are set up in do_setup_env() function, which is called after pam_session.
If you want to access these variables, I recommend you to set up ForceCommand or special shell for the user, which will be wrapper around normal shell, after you evaluate your variables.
But note that setting this for root, which is unlimited will allow your users to do whatever they want (even changing the keys, your environment variables), regardless your setup.
Related
I have a state which creates a user on a minion.
This works fine.
The user gets created on the first run, the next N days (or years) it won't be created again.
I want to do some action on a different host after the user was created. For performance reasons I only want to execute this action once, on the first run when the user gets created.
Up to now I search some sort of trigger which gets fired if a state changes. Other solutions are welcome.
Use case
After creating the user on the minion I need to insert the minions ssh host-key to a .ssh/known_hosts file to make password less logins work.
To tackle the use case and not the question I suggest the following:
use Salt Mine to collect the public keys of your minions
put the ssh host-keys of the minions into /etc/ssh/ssh_known_hosts
You can use the openssh formula as a starting point. It contains the scripts for Salt Mine and also how to create a ssh_known_hosts file. It adds a lot of magic with dig to discover host names and IP adresses that might be oversized for your environment.
Once it is all set up it should work as follows:
add a user: host's ssh_known_hosts file will used, nothing else needs to be done
add a minion: update the mine, run the provisioning to on all minions to update the host's ssh_known_hosts file.
When using the Shipit automation engine I found that trying to execute commands with "sudo" from an user other than root (let's call it "devuser") results in the connection closing without the command being executed.
This is a command that I'm trying to execute:
shipit.remote('sudo pwd');
Note that, on the target machine, "devuser" can execute everything with "sudo", without being asked his/her password (it's a choice of the target system).
Also note that everything invoked without "sudo" (and that obviously doesn't need elevated permission) gets executed prefectly fine by Shipit.
E.g.this one works just fine:
shipit.remote('pwd');
The question at this point is: am I doing something wrong or is it this way by design (e.g. to avoid privileges escalation)?
If it's the latter: is there a way to work this limitation around?
simple hack for that is to set user inside each command that you are running with shipit. This is little overhead especially if there are a lot of commands but it will do the trick. Command for that is :
su - <user> -c "<command>"
In your case :
shipit.remote('su - devuser -c "pwd"');
You were on right track with your example.
Best regards,
Nikola
I want a script to get a variable from a different script which are both running on the system. Is that possible?
I have two scripts running on the system, and I want one script to pull a user-defined variable instead of asking the user to input the data twice
Assuming both scripts are running concurrently, MSMQ would be one option:
What's the best way to pass values to a running/background script block?
Global Variables are only "Global" in the context of scopes in the current session. They aren't visible to a script running is a different session.
Write it to a text file and have the other script read it. You can load up the text into a variable, then execute it as code using iex (Invoke-Expression).
I need the heap to be verified each time the garbage collector (GC) finishes its work. I read this can be done by setting the environment variable COMPLUS_HeapVerify to 1. But how exactly do I set this variable?
I read this can be done via Computer/Advanced System Settings/Advanced/Environment Variables (Windows 7), somebody tells I should set up a new system variable (here), others tell this should be a user variable (here).
Is this approach correct and which (system or user) variable should be set?
The approach you mentioned is absolutely correct.
Go to Control Panel->System Properties->Advanced System Settings->Environment Variables.
If you have administrator privileges, add a system variable called “COMPLUS_HeapVerify” with a value of “1”; otherwise — add the user one. Note, in the second case you might need to log out and log on.
Hope that helps.
I already have a jmeter configuration in my project. I can see a few variables already defined like "${__P(threads)}" for the number of users in ThreadGroup. There are many other variables like these. I am checking where these are defined? I checked in jmeter.properties, user.properties and system.properties.
I tried checking http://jmeter.apache.org/usermanual/functions.html for the location of definition. But, I couldn't find any help.
Is there any pre-defined file to define the variables for jmeter?
Thanks in advance.
People frequently use ${__P(threads)} for passing command-line parameters to test plan. You may start jmeter with command line like
bin/jmeter -n -t testplan.jmx -l results.jtl -Jthreads=100
This allows you running jmeter with different number of threads without modifying test plan in GUI.