无需任何身份验证的SSH会话
我有一个特殊的用户,称为udpate,其外壳程序是一个特殊命令,用于获取系统中所有待处理的更新.
I have a special user, called udpate, whose shell is a special command that fetches any pending updates to our system.
我希望能够与该用户打开ssh会话,而无需进行任何身份验证(密码或ppk或任何其他方式),因此,如果有人想更新系统,他们可以执行"ssh update @< >",而无需知道密码或在框上预共享公用密钥.
I'd like to be able to open an ssh session with this user without any kind of authentication (password or ppk, or anything), so if anyone wants to update a system, they could do "ssh update@<>", without having to know a password, or have a pre-shared public key on the box.
我知道不安全,但这是通过VPN进行的,因此这不应该是问题,他们只会运行更新,然后将其丢弃.
Insecure, I know, but this is over a VPN, so it should not be a problem, and they will only run the update, and then be thrown out.
可以做到吗?
as this rfc points out, there is support for host based authentication https://www.ietf.org/rfc/rfc4252.txt
这可能不是最终的解决方案,但可以帮助找到一个解决方案.
That may not be a final solution, but helping finding one.
但是,实际上,您不应该针对此用例执行此操作...仅提供基本的Web终结点,该终结点仅在下一次cron运行时才启动更新过程.我知道,它不是那么简单",而是更加安全.
But really, you should not do it for this usecase... Just offer a basic web endpoint which does only start the update process on the next cron run. I know, its not so "simple" but its a lot more secure.
或者,如果他们仍然可以访问此服务器,则添加一个设置了超级用户位的脚本,以触发更新.
Or if they have access to this server anyway, add a script with super user bit set which triggers the update.
此外,如果您的公司中有一个*服务器,每个人也都可以访问,则可以在这之间作为托管密钥对的步骤,因此您不需要为每个人管理X密钥.
Also, if you have a central server in your company, where everyone has access too, you can use this as step in between to host the key pair, so you dont need to manage X keys for everyone.
或者您将更现代的设置与puppet或其他任何东西一起使用,或者只是将服务器配置为始终更新,而无需用户交互....
Or you use a more modern setup with puppet or anything, or you just configure the server to always update without user interaction needed....