SSH, sudo, and host aliases

Hi All,

I am usually a read-only browser of news groups, but I cannot figure this
problem out. I have a fully patched Fedora Core 4 installation on one
machine, and I am accessing it through an SSH connection on the same
192.168.3.0 subnet from a Windows XP box.

I setup SSH so that the root user cannot login, so I am using sudo to run
certain commands. Sudo is working perfectly in the following sudoers
configuration:

------------------------------------------
Host_Alias SUBNET = 192.168.3.0/24

root ALL=(ALL) ALL

%wheel ALL= /sbin/shutdown -r now
%wheel ALL= NOPASSWD: /bin/mount /mnt/xp-store, /bin/umount /mnt/xp-store
%wheel ALL= NOPASSWD: /usr/local/bin/backup-xp-data.sh
%wheel ALL= NOPASSWD: /usr/bin/less /var/log/messages
%wheel ALL= NOPASSWD: /bin/mail -u root
%wheel ALL= NOPASSWD: /sbin/mdadm -D /dev/md0
------------------------------------------

However, when I try to restrict sudo to the current subnet and replace the
'ALL' with the 'SUBNET' host alias, sudo thinks I don't have access to the
command. This is confirmed by calling the sudo -l command, which no
longer lists the restricted commands.

-------------------------------------------
%wheel SUBNET= NOPASSWD: /bin/mail -u root
-------------------------------------------

I have tried using the actual IP address, 192.168.3.101, using the
hostname, and using the 255.255.255.0 notation for the subnet. To confirm
that I am in fact on the subnet, I checked the SSH environment variables
and get:

SSH_CLIENT=192.168.3.101 1089 22
SSH_CONNECTION=192.168.3.101 1089 192.168.3.3 22


So basically I cannot restrict the host in the sudoers file. What am I
doing wrong here?


thanks,
Cooper


Cooper Blake

Is there another news group that would be more appropriate for this
question? I've also tried alt.linux.redhat.

thanks,
Cooper



On Sun, 04 Dec 2005 15:20:37 -0500, Cooper Blake <(E-Mail Removed)>
wrote:

> Hi All,
>
> I am usually a read-only browser of news groups, but I cannot figure
> this problem out. I have a fully patched Fedora Core 4 installation on
> one machine, and I am accessing it through an SSH connection on the same
> 192.168.3.0 subnet from a Windows XP box.
>
> I setup SSH so that the root user cannot login, so I am using sudo to
> run certain commands. Sudo is working perfectly in the following
> sudoers configuration:
>
> ------------------------------------------
> Host_Alias SUBNET = 192.168.3.0/24
>
> root ALL=(ALL) ALL
>
> %wheel ALL= /sbin/shutdown -r now
> %wheel ALL= NOPASSWD: /bin/mount /mnt/xp-store, /bin/umount
> /mnt/xp-store
> %wheel ALL= NOPASSWD: /usr/local/bin/backup-xp-data.sh
> %wheel ALL= NOPASSWD: /usr/bin/less /var/log/messages
> %wheel ALL= NOPASSWD: /bin/mail -u root
> %wheel ALL= NOPASSWD: /sbin/mdadm -D /dev/md0
> ------------------------------------------
>
> However, when I try to restrict sudo to the current subnet and replace
> the 'ALL' with the 'SUBNET' host alias, sudo thinks I don't have access
> to the command. This is confirmed by calling the sudo -l command, which
> no longer lists the restricted commands.
>
> -------------------------------------------
> %wheel SUBNET= NOPASSWD: /bin/mail -u root
> -------------------------------------------
>
> I have tried using the actual IP address, 192.168.3.101, using the
> hostname, and using the 255.255.255.0 notation for the subnet. To
> confirm that I am in fact on the subnet, I checked the SSH environment
> variables and get:
>
> SSH_CLIENT=192.168.3.101 1089 22
> SSH_CONNECTION=192.168.3.101 1089 192.168.3.3 22
>
>
> So basically I cannot restrict the host in the sudoers file. What am I
> doing wrong here?
>
>
> thanks,
> Cooper