[clug] Wanted: Developer to securely implement a restricted SSH shell

steve jenkin sjenkin at canb.auug.org.au
Mon Jan 4 03:30:00 MST 2010

[Oops, reply to list]

Nathan O'Sullivan wrote on 4/01/10 6:09 PM:

>> >> The `xm console $DOMAIN` command needs to be run as root.
>> >> Would setuid root on the proposed shell script work?

Do Linux'es allow 'setuid/gid' on shell scripts?
I thought I read somewhere they don't... (in the context of creating
'non-portable' scripts)

I can't see a way around using 'sudo' or similar on Dom0.

Perhaps your request is not so much you want an SSH client (Andrew
Janke's post covers containing ssh-keys), but a way to (securely)
convert simple shell scripts into binaries...

Google for "Industrial-strength Linux lockdown" from IBM DeveloperWorks.
It includes code to modify (Ubuntu) 'dash' to only run an embedded
script. [seems to need registration and login]
The docs are on 'scribd' as well.

You might add 'from=local_client' to the SSH-KEY as well

I stumbled across 'shc' which purports to be a "generic shell script
compiler". Anyone used it or know if it's 'secure'??

> >
> > Perhaps my off-site posting worked too well - I have a sample naive
> > implementation at the bottom of
> > http://www.mammothmedia.com.au/~nats/restricted-shell-job.txt
> >
> > In my implementation I utilise sudo to restrict the user to being able
> > to run "xm console $DOMAIN" and nothing else.
> >
> > My primary concern is if/how the user might interrupt or otherwise
> > affect the behaviour of this custom login shell - I know I dont know
> > enough about this to say what attacks are out there.

Looking at your web specs, as a client I'd be uneasy about using a CGI
to upload a public SSH key. Even if the key isn't munged in some way,
how do I know that it isn't swapped and someone else is accessing my DomU?

 I would use a private key that was emailed to me by you (with PGP?) :-)

Depending on the number of clients you have, is there a way you can
either securely issue them private keys or have them generate a new key
and arrange a physical hand-over (they physically put it in your hand)??

> >
> > Regards
> > Nathan


Steve Jenkin, Info Tech, Systems and Design Specialist.
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA

sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin

More information about the linux mailing list