G. Wolfe Woodbury wrote:
>
> Sounds like a combination job for ssh using the authorized_keys for
> login services, and sudo with command grouping for the "configuration
> utilities" that you want to use.
>

I'm about to do something very similar and I've got a few questions about
this.
We use authorized_keys2 for our standard ssh login but we require a pass
phrase and root is not allowed to ssh in.

The files I need to distribute across the machines are owned by root.

What is the best solution to this?
Create a dedicated user that has write permissions of the specific files
that need to be synced, add the user, generate a key and distribute across
the synced machines?

Is using ssh-agent an option for this? (if the dedicated user requires a
pass phrase) Wouldn't the pass phrase have to be stored in plain text
somewhere? (totally negating the use of a pass phrase). I'm thinking that
this command "may" be run interactively, so in that case the pass phrase
could be stuffed in then. However, if it gets cron'd I dunno if this would
be best.

Or should I not use a pass phrase and try to harden the dedicated user?
What measures need to be taken?

One thing I'm thinking is to somehow setup a chroot jail for the dedicated
user so that it only has access to the directory with the config files that
need updating. However, I've never done this before and have no idea how to
do it (with a ssh session and all or sftp?, I don't think setting the HOME
for the user to the config file directory would be good enough). Is this a
good idea?

As if you couldn't tell, security is my main issue here ;)

Jeremy