[clug] Wanted: Developer to securely implement a restricted SSH shell

Nathan O'Sullivan nathan at mammoth.com.au
Mon Jan 4 15:38:29 MST 2010

On 04/01/10 19:33, Andrew Janke wrote:
>>> I was thinking a custom shell with openssh;
>> Inside the authorized_keys file you can specify a command to be run when a given key is
>> used.  You could generate a set of key pairs for each xm console command required.  Or if
>> a specific user needs access to a specific xm console then you just use the user's public
>> key with the appropriate command= entry.
>> Look for AUTHORIZED_KEYS FILE FORMAT in the sshd man page.
> Beat me to it! :)  This is exactly what crossed my mind when I first
> read this.  I do this as such for a rsync via a (passwordless) key for
> example:
> mavis:.ssh$ cat authorized_keys
> command="~/bin/vrsync.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding
> ssh-dss<AAAABBASDasdfff234af... rest of key...>

 From my testing, the command="$COMMAND" from ~/.ssh/authorized_keys is 
simply passed to to the user's login shell as command arguments "-c 
$COMMAND" which the user's login shell can do with as it pleases.

Obviously /bin/bash just runs the command; you can see in my custom 
shell on http://www.mammothmedia.com.au/~nats/restricted-shell-job.txt 
that I refuse to do anything if there are command lines arguments 
(tested with *$# -ne 0*).

The authorized_keys setting overrides the command (if any) from running 
"ssh user at host $COMMAND" but other than that, isnt special in any way 
and to me, would appear to be vulnerable to the same class of attacks as 
writing a custom shell.


More information about the linux mailing list