[wplug] ssh restrictions

Mike Griffin mike at dmrnetworks.com
Tue Sep 16 10:15:47 EDT 2003 

Yes, you use command=  at the beginning of the key. I would suggest 
doing this first:
write a script that takes  $SSH_ORIGINAL_COMMAND and puts it to a file, 
from there you can do your actual restriction for that key.
here's a light example:

you're using rsync to make backups to another machine.
Your original script should be in this fashion:

cast "$SSH_ORIGINAL_COMMAND" in
*)											
   echo "$SSH_ORIGINAL_COMMAND" > /tmp/ssh-output
   $SSH_ORIGINAL_COMMAND
   ;;
esac


we're going to call this script rsync-command and place it in 
/usr/local/bin.  the command= line before the key would then look like 
this
command="/usr/local/bin/rsync-command"  keystufftherestofthelinegoeshere

After we run the script manually we look at /tmp/ssh-output and replace 
the ( * )  with whatever was in /tmp/ssh-output.
don't replace the ( ) ) .  take out the echo from the preceeding 
example.  You can add this after the inital statement
*)
   #we want to log the failures, and drop the connection NOT telling the 
person why it was dropped.
   echo "$SSH_ORIGINAL_COMMAND" >> /tmp/ssh-auth-failure
   ;;


Mike



On Tuesday, September 16, 2003, at 09:34  AM, Lance Tost wrote:

> Set up key-based authentication so no password is required.  Then on 
> the
> remote side, in ~/.ssh/authorized_keys, add the following before the 
> key:
>
> command="/path/to/whatever/command args"
>
> man sshd and search for "command=".
>
>
> On Mon, 15 Sep 2003, Joe Topjian wrote:
>
>> Date: Mon, 15 Sep 2003 20:37:25 -0400
>> From: Joe Topjian <joe at portsys.net>
>> Reply-To: wplug at wplug.org
>> To: wplug at wplug.org
>> Subject: [wplug] ssh restrictions
>>
>> With ssh, you can always create a public key, toss that into the 
>> remote
>> ends authorized_hosts file and now you can ssh/scp/run remote commands
>> to the remote host without a password.
>>
>> This sounds cool and all for a number of different things, but is it
>> possible to place any type of restriction on what is run?
>>
>> For instance, lets say I wanted to build a nightly backup script. This
>> script runs a shell script on a remote server that gathers everything,
>> then I scp it back to me.
>>
>> ssh root at remote /usr/bin/backup.sh
>> scp root at remote:/root/backup.tar.gz .
>>
>> But lets say someone got into my system and somehow figured out that I
>> have password-less access to a remote host and decided to do a
>>
>> ssh root at remote rm -rf /
>>
>> Is there any way to restrict what ssh runs or is used for in a system?
>> If not, is there any kind of utility or wrapper that will do this?
>>
>> For instance, you could use tcpserver (http://cr.yp.to/ucspi-tcp.html)
>> and daemontools (http://cr.yp.to/daemontools.html) that will take any
>> ol script, and turn it into a server. You connect to that port and it
>> runs the script. (Kinda like inetd, but more flexible). However, you
>> now have a bunch of programs listening on ports publicly.
>>
>> Any ideas?
>>
>> ---
>> Joe Topjian
>> email: joe at portsys.net
>> web: http://zaven.us
>>
>> _______________________________________________
>> wplug mailing list
>> wplug at wplug.org
>> http://www.wplug.org/mailman/listinfo/wplug
>>
>
> -- 
> Lance Tost <ltost at pobox.com>
>
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
>

More information about the wplug mailing list