Skip to content

Ssh forced commands

wordpress meta

title: 'SSH Forced Commands'
date: '2013-02-06T03:54:57-06:00'
status: publish
permalink: /ssh-forced-commands
author: admin
excerpt: ''
type: post
id: 227
category:
    - SSH
tag: []
post_format: []

If for whatever reason you have to use root for ssh authorized key access, but at least want to restrict severely the commands that can be executed.

Create a wrapper script and make it executable.

# cat /root/scripts/sshwrapper.sh
#!/bin/sh
# Script: /root/scripts/sshwrapper.sh

case "$SSH_ORIGINAL_COMMAND" in
"uname -r")
uname -r
;;
"lxc-version")
lxc-version
;;
"vserver-info")
vserver-info - SYSYINFO | grep VS-API
;;
"lxc-ls")
lxc-ls
;;
"vserver-stat")
vserver-stat
;;
*)
echo "Sorry. Only these commands are available to you:"
echo "uname, lxc-version, vserver-info, lxc-ls, vserver-stat"
exit 1
;;
esac

Tailor the key as follow:

# tail -1 /root/.ssh/authorized_keys
command="/root/scripts/sshwrapper.sh",no-port-forwarding,no-X11-forwarding,no-pty ssh-dss
...
ZkDBHoTWqskb4OXlWnV/ILBgn0HuWTPyjNS5ABjZRkxVvEeAXc= root@server.domain.com

Test:

# ssh ebsr12testdb uptime
Sorry. Only these commands are available to you:
uname, lxc-version, vserver-info, lxc-ls, vserver-stat

# ssh ebsr12testdb uname
Sorry. Only these commands are available to you:
uname, lxc-version, vserver-info, lxc-ls, vserver-stat

# ssh ebsr12testdb uname -r
2.6.18-194.32.1.el5

** Note another nice thing about this. If we would set it up in the wrapper that “uname” is allowed as opposed to “uname –r” you can still have the command be whatever. So we could potentially allow “vmstat” in the wrapper but the actual command executed will be “vmstat 1 100”.