Let's say you want to have an account you can ssh into but only run very specific commands in it. A good way to achieve that is to write a wrapper script that is called from your authorized_keys file. So you could have a wrapper that looks like this:
#!/bin/sh case $SSH_ORIGINAL_COMMAND in "/usr/bin/rsync "*) $SSH_ORIGINAL_COMMAND ;; *) echo "Permission denied." exit 1 ;; esacBut, what if you really want to be really precise on the command? Using the above example, not only running rsync but also specifying the path and the arguments? You could cheat and find what the command you are sending is supposed to look like by replacing (temporarily) your wrapper script with this
/bin/sh DEBUG="logger" # Linux #DEBUG="syslog -s -l note" # OSX if [ -n "$SSH_ORIGINAL_COMMAND" ]; then $DEBUG "Passed SSH command $SSH_ORIGINAL_COMMAND" elif [ -n "$SSH2_ORIGINAL_COMMAND" ]; then $DEBUG "Passed SSH2 command $SSH2_ORIGINAL_COMMAND" else $DEBUG Not passed a command. fiThen you run the ssh command and see what it looks like in the log file. Copy that to your original wrapper script, and you are good to go. So
ssh -t -i /home/raub/.ssh/le_key raub@virtualpork echo "Hey"Results in
Dec 26 13:34:05 virtualpork syslog[64541]: Passed SSH command echo HeyWhile
rsync -avz -e 'ssh -i /home/raub/.ssh/le_key' raub@virtualpork:Public /tmp/backup/results in
Dec 26 13:28:17 virtualpork syslog[64541]: Passed SSH command rsync --server --sender -vlogDtprze.iLs . PublicThe latter meaning our little wrapper script would then look like
#!/bin/sh case $SSH_ORIGINAL_COMMAND in "rsync --server --sender -vlogDtprze.iLs . Public") $SSH_ORIGINAL_COMMAND ;; *) echo "Permission denied." exit 1 ;; esac
No comments:
Post a Comment