{"id":227,"date":"2013-02-06T03:54:57","date_gmt":"2013-02-06T11:54:57","guid":{"rendered":"http:\/\/blog.ls-al.com\/?p=227"},"modified":"2013-06-24T08:31:20","modified_gmt":"2013-06-24T15:31:20","slug":"ssh-forced-commands","status":"publish","type":"post","link":"https:\/\/blog.ls-al.com\/ssh-forced-commands\/","title":{"rendered":"SSH Forced Commands"},"content":{"rendered":"<p>If for whatever reason you <span style=\"text-decoration: underline;\">have<\/span> to use root for ssh authorized key access, but at least want to restrict severely the commands that can be executed.<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Create a wrapper script and make it executable.<\/strong><\/span><\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n# cat \/root\/scripts\/sshwrapper.sh\r\n#!\/bin\/sh\r\n# Script: \/root\/scripts\/sshwrapper.sh\r\n\r\ncase &quot;$SSH_ORIGINAL_COMMAND&quot; in\r\n&quot;uname -r&quot;)\r\nuname -r\r\n;;\r\n&quot;lxc-version&quot;)\r\nlxc-version\r\n;;\r\n&quot;vserver-info&quot;)\r\nvserver-info - SYSYINFO | grep VS-API\r\n;;\r\n&quot;lxc-ls&quot;)\r\nlxc-ls\r\n;;\r\n&quot;vserver-stat&quot;)\r\nvserver-stat\r\n;;\r\n*)\r\necho &quot;Sorry. Only these commands are available to you:&quot;\r\necho &quot;uname, lxc-version, vserver-info, lxc-ls, vserver-stat&quot;\r\nexit 1\r\n;;\r\nesac\r\n<\/pre>\n<p><span style=\"text-decoration: underline;\"><strong>Tailor the key as follow:<\/strong><\/span><\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n# tail -1 \/root\/.ssh\/authorized_keys\r\ncommand=&quot;\/root\/scripts\/sshwrapper.sh&quot;,no-port-forwarding,no-X11-forwarding,no-pty ssh-dss\r\n...\r\nZkDBHoTWqskb4OXlWnV\/ILBgn0HuWTPyjNS5ABjZRkxVvEeAXc= root@server.domain.com\r\n<\/pre>\n<p><span style=\"text-decoration: underline;\"><strong>Test:<\/strong><\/span><\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n# ssh ebsr12testdb uptime\r\nSorry. Only these commands are available to you:\r\nuname, lxc-version, vserver-info, lxc-ls, vserver-stat\r\n\r\n# ssh ebsr12testdb uname\r\nSorry. Only these commands are available to you:\r\nuname, lxc-version, vserver-info, lxc-ls, vserver-stat\r\n\r\n# ssh ebsr12testdb uname -r\r\n2.6.18-194.32.1.el5\r\n<\/pre>\n<p>** Note another nice thing about this.\u00a0 If we would set it up in the wrapper that \u201cuname\u201d is allowed as opposed to \u201cuname \u2013r\u201d you can still have the command be whatever.\u00a0 So we could potentially allow \u201cvmstat\u201d in the wrapper but the actual command executed will be \u201cvmstat 1 100\u201d.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If for whatever reason you have to use root for ssh authorized key access, but at least want to restrict<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-227","post","type-post","status-publish","format-standard","hentry","category-ssh"],"_links":{"self":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/227","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/comments?post=227"}],"version-history":[{"count":0,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/227\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/media?parent=227"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/categories?post=227"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/tags?post=227"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}