Running bash script from an user of the same group that connects to a server using SSH-key from another user of the same group

2

I made a script like this one:

sync.sh
#!/bin/bash
#1st backup the file
scp user-1@ip-1:/directory/file1 /backup/location/
#2nd sync/overwrite my file to that server
scp /local/file2 user-1@ip-1:/directory/file1
#3rd restart service associated with that file
ssh -t user-1@IP-1 << EOF
  sudo systemctl restart some.service
EOF

the script permission and privileges is as following:

-rwxr-x--x. 1 user-1 group-1 ~/sync.sh

I have ssh-keys configured between user-1@local to user-1@IP-1, I have configured visudo to restart the service and everything works great if I run the script using user-1.

I want any other_user in group-1 be able to run this script, but the ssh-key doesn't work in this way, it tries to generate another key. What am I missing to do this?

Or should I use a different approach? I've seen that I could use rsync for moving files around but what about restarting the service?

thank you all.

kgtr

Posted 2018-08-31T07:54:53.413

Reputation: 23

Answers

0

This is not a secure way of doing things.

A key is what authenticates users.

  1. Give each user their own key, or everyone can simply login as anyone else simply by using another username.

  2. Modify your script so each username is fetched from the environment variable.

  3. Use auth-agent to manage keys. This way you won't have to put paths to the keys in your script.

  4. Lots of servers and lots of users?

    • You should probably look at Kerberos and PAM.

    • Another option is to make a script to add your list of users to the sudoers file, and pipe that script to a superuser shell on each server over ssh.

svin83

Posted 2018-08-31T07:54:53.413

Reputation: 402

yes I agree, that's why it's only within the users of the same group. anyway my only option then it's to create a single user to be shared between the group. (not the best solution to be honest). if I modify the script so each username is fetched I would also need to modify the other servers and add them in the sudoers list every time a new user in this group is included and seems like a lot of work for a simple small script. – kgtr – 2018-09-17T15:48:33.357

@kgtr Aahh. Okay. Updated my answer with some more info :) – svin83 – 2018-09-24T13:12:04.807

Asked: 2018-08-31T07:54:53.413

Viewed: 58 times

Active: 2018-09-22T00:40:02.403