[clug] Wanted: Developer to securely implement a restricted SSH shell

Andrew Janke a.janke at gmail.com
Mon Jan 4 01:33:43 MST 2010 

>> I was thinking a custom shell with openssh;
>
> Inside the authorized_keys file you can specify a command to be run when a given key is
> used.  You could generate a set of key pairs for each xm console command required.  Or if
> a specific user needs access to a specific xm console then you just use the user's public
> key with the appropriate command= entry.
>
> Look for AUTHORIZED_KEYS FILE FORMAT in the sshd man page.

Beat me to it! :)  This is exactly what crossed my mind when I first
read this.  I do this as such for a rsync via a (passwordless) key for
example:

mavis:.ssh$ cat authorized_keys
command="~/bin/vrsync.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding
ssh-dss <AAAABBASDasdfff234af... rest of key...>

And then in my little vrsync.sh script..  Note that the first couple
of entries in the case are an attempt to catch various dirty tricks
that can be played in an attempt to get around this sort of approach.

mavis:.ssh$ cat ~/bin/vrsync.sh
#! /bin/sh
#
# Yes the error message is misleading

# debug - uncomment to figure out what the heck is going on when things break
# echo "SSHCOMMAND: $SSH_ORIGINAL_COMMAND" > /tmp/cmd-$$

case "$SSH_ORIGINAL_COMMAND" in
   *\&*)
      echo "Destination Host Unreachable"
      ;;

   *\(*)
      echo "Destination Host Unreachable"
      ;;

   *\{*)
      echo "Destination Host Unreachable"
      ;;

   *\;*)
      echo "Destination Host Unreachable"
      ;;

   *\<*)
      echo "Destination Host Unreachable"
      ;;

   *\`*)
      echo "Destination Host Unreachable"
      ;;

   #  rsync from
   rsync\ --server\ --sender\ -logDtpr*)
      $SSH_ORIGINAL_COMMAND
      ;;

   # dirvish
   #rsync\ --server\ --sender\ -vlHogDtprx\ --numeric-ids\ *)
   #   $SSH_ORIGINAL_COMMAND
   #   ;;

   *)
      echo "ssh: Destination Host Unreachable"
      ;;
esac


I am sure there are things I have missed here and others perhaps have
even better methods but it's what I have used in the past.


--
Andrew Janke
(a.janke at gmail.com || http://a.janke.googlepages.com/)
Canberra->Australia    +61 (402) 700 883

More information about the linux mailing list