[wplug] ssh restrictions

Lance Tost ltost at pobox.com
Tue Sep 16 09:34:02 EDT 2003


Set up key-based authentication so no password is required.  Then on the 
remote side, in ~/.ssh/authorized_keys, add the following before the key:

command="/path/to/whatever/command args"

man sshd and search for "command=".


On Mon, 15 Sep 2003, Joe Topjian wrote:

> Date: Mon, 15 Sep 2003 20:37:25 -0400
> From: Joe Topjian <joe at portsys.net>
> Reply-To: wplug at wplug.org
> To: wplug at wplug.org
> Subject: [wplug] ssh restrictions
> 
> With ssh, you can always create a public key, toss that into the remote 
> ends authorized_hosts file and now you can ssh/scp/run remote commands 
> to the remote host without a password.
> 
> This sounds cool and all for a number of different things, but is it 
> possible to place any type of restriction on what is run?
> 
> For instance, lets say I wanted to build a nightly backup script. This 
> script runs a shell script on a remote server that gathers everything, 
> then I scp it back to me.
> 
> ssh root at remote /usr/bin/backup.sh
> scp root at remote:/root/backup.tar.gz .
> 
> But lets say someone got into my system and somehow figured out that I 
> have password-less access to a remote host and decided to do a
> 
> ssh root at remote rm -rf /
> 
> Is there any way to restrict what ssh runs or is used for in a system?
> If not, is there any kind of utility or wrapper that will do this?
> 
> For instance, you could use tcpserver (http://cr.yp.to/ucspi-tcp.html) 
> and daemontools (http://cr.yp.to/daemontools.html) that will take any 
> ol script, and turn it into a server. You connect to that port and it 
> runs the script. (Kinda like inetd, but more flexible). However, you 
> now have a bunch of programs listening on ports publicly.
> 
> Any ideas?
> 
> ---
> Joe Topjian
> email: joe at portsys.net
> web: http://zaven.us
> 
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
> 

-- 
Lance Tost <ltost at pobox.com>




More information about the wplug mailing list