SSH – Configure SSHd to Permit Single Command Without Full Login Access

execremotessh

I am looking for best way to call remote command over SSH. I create user 'rpcall', generate new certificate and fill authorized_keys. Secure it little bit more with

from="ip",no-agent-forwarding,no-X11-forwarding,no-port-forwarding,no-pty ssh-rsa ......

now user rpcall can't login to terminal

ssh -l rpc 192.168.12.1
PTY allocation request failed on channel 0

but it is possible to run any command

ssh -l rpc 192.168.12.1 cat /etc/passwd

Is there any solution i can limit command execution only to one processing script?
For example /home/rpcall/bin/command.sh

I setuped bash shell for this user and using .bashrc force run processing script, but i don't know how to pass parameters from ssh call.

.bashrc for user rpcall

/home/rpcall/bin/command.sh $params1 $params2
exit

ssh call from other machine

ssh -l rpcall 192.168.12.1 "param1" "param2"

Best Answer

You can restrict commands using the authorized_keys file. Put command="/home/rpcall/bin/command.sh" before the key, in the authorized_keys file, and the user will only ever run that command when they connect.

Check the man page for authorized_keys, this is from that man page,

 command="command"
         Specifies that the command is executed whenever this key is used
         for authentication.  The command supplied by the user (if any) is
         ignored.  The command is run on a pty if the client requests a
         pty; otherwise it is run without a tty.  If an 8-bit clean chan-
         nel is required, one must not request a pty or should specify
         no-pty.  A quote may be included in the command by quoting it
         with a backslash.  This option might be useful to restrict cer-
         tain public keys to perform just a specific operation.  An exam-
         ple might be a key that permits remote backups but nothing else.
         Note that the client may specify TCP and/or X11 forwarding unless
         they are explicitly prohibited.  The command originally supplied
         by the client is available in the SSH_ORIGINAL_COMMAND environ-
         ment variable.  Note that this option applies to shell, command
         or subsystem execution.

If you need more than one command, you need to basically set up several sets of keys and use different keys to give you different commands.

Edit: I just noticed, the original command is available in the SSH_ORIGINAL_COMMAND environment variable, so you could indeed handle that input using your own script, doing something clever.

Related Solutions

SSH X11 not working

The reason ssh X forwarding wasn't working was because I have a /etc/ssh/sshrc config file.

The end of the sshd(8) man page states:

If ~/.ssh/rc exists, runs it; else if /etc/ssh/sshrc exists, runs it; otherwise runs xauth

So I add the following commands to /etc/ssh/sshrc (also from the sshd man page) on the server side:

if read proto cookie && [ -n "$DISPLAY" ]; then
        if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
                # X11UseLocalhost=yes
                echo add unix:`echo $DISPLAY |
                    cut -c11-` $proto $cookie
        else
                # X11UseLocalhost=no
                echo add $DISPLAY $proto $cookie
        fi | xauth -q -
fi

And it works!

Ssh – OpenSSH disable ControlMaster for given hostname

Your * host stanza is catching it. Put more specific host stanzas earlier.

Best Answer

Related Solutions

SSH X11 not working

Ssh – OpenSSH disable ControlMaster for given hostname

Related Topic