VanDyke Software



Control Remote Exec Privileges With RunAs Command In The VShell® Server

The RunAs Commands feature in VShell 3.5 and later allows users to remotely execute commands as a different user. This is useful for giving access to less privileged users to employ certain commands or scripts that require administrative privileges. The VShell administrator controls who can remotely execute a command, which commands they can execute, and what Windows user account context is used to execute the command locally on the VShell machine. Users connecting to the server can use an SSH2 client, such as SecureCRT® or VSH, to issue the remote command.

Configuring The RunAs Commands

The following shows an example of the kind of remotely executed command that the RunAs capability allows you to configure for your users.

Example of remote execution command defined using VShell RunAs Command

Configuration is accomplished from the RunAs Commands page in SSH2 section of the VShell Control Panel. This page lists all configured commands — the alias of the command, the actual path to the command, and the username under which the command will be run.

The RunAs Commands page of the VShell Control Panel

To add a new command, click on the Add button on the RunAs Commands page. This brings up the RunAs Command dialog. You then define the alias, path, arguments, and username/password for your command, and select the Windows user groups or users that are allowed to execute the command.

Setting up the "scanall" command in the RunAs dialog

Here is a table of all the available RunAs command options:

The command the user connecting to VShell issues on the command line.
Command Path
The actual path to the command or script (the path must be valid for the RunAs user's environment).
Command arguments
Arguments to be included in the command line when executing the command (these are the first arguments in the command line; any arguments passed in the original remote execution request are appended after these arguments).
Username under which the command will be executed.
Optional password for the RunAs user; if a password is not specified, the user is subject to the same limitations that would apply to users logging on using a public key.
The users or groups allowed to run the configured command. These users or groups need to be granted Remote Execution rights from the Access Control page in the VShell Control Panel.

Users that have been given access to the RunAs command are now able to remotely execute the alias name, which in turn runs the actual command as the configured RunAs user.