Skip to content

SSH Forced Commands

If for whatever reason you have to use root for ssh authorized key access, but at least want to restrict severely the commands that can be executed.

Create a wrapper script and make it executable.

# cat /root/scripts/sshwrapper.sh
#!/bin/sh
# Script: /root/scripts/sshwrapper.sh

case "$SSH_ORIGINAL_COMMAND" in
"uname -r")
uname -r
;;
"lxc-version")
lxc-version
;;
"vserver-info")
vserver-info - SYSYINFO | grep VS-API
;;
"lxc-ls")
lxc-ls
;;
"vserver-stat")
vserver-stat
;;
*)
echo "Sorry. Only these commands are available to you:"
echo "uname, lxc-version, vserver-info, lxc-ls, vserver-stat"
exit 1
;;
esac

Tailor the key as follow:

# tail -1 /root/.ssh/authorized_keys
command="/root/scripts/sshwrapper.sh",no-port-forwarding,no-X11-forwarding,no-pty ssh-dss
...
ZkDBHoTWqskb4OXlWnV/ILBgn0HuWTPyjNS5ABjZRkxVvEeAXc= root@server.domain.com

Test:

# ssh ebsr12testdb uptime
Sorry. Only these commands are available to you:
uname, lxc-version, vserver-info, lxc-ls, vserver-stat

# ssh ebsr12testdb uname
Sorry. Only these commands are available to you:
uname, lxc-version, vserver-info, lxc-ls, vserver-stat

# ssh ebsr12testdb uname -r
2.6.18-194.32.1.el5

** Note another nice thing about this.  If we would set it up in the wrapper that “uname” is allowed as opposed to “uname –r” you can still have the command be whatever.  So we could potentially allow “vmstat” in the wrapper but the actual command executed will be “vmstat 1 100”.

Published inSSH