diff options
| author | Daniel Friesel <derf@finalrewind.org> | 2011-05-18 13:46:45 +0200 |
|---|---|---|
| committer | Daniel Friesel <derf@finalrewind.org> | 2011-05-18 13:46:45 +0200 |
| commit | f3d0995e9078c0b6a99793a90ce6671afc756ee1 (patch) | |
| tree | 14b0e32d5526231ca04055dea50b1e128e59d591 /README | |
| parent | f9553f3e2b7f21080ce7974909e92d251aaae528 (diff) | |
CPANization
Diffstat (limited to 'README')
| -rw-r--r-- | README | 57 |
1 files changed, 17 insertions, 40 deletions
@@ -1,52 +1,29 @@ ssh-forcecommand - Whitelist remote commands via ssh config +----------------------------------------------------------- -ssh-forcecommand is a trivial script to safely execute remote commands via -ssh. It is especially aimed at automated remote commands (so, ssh keys not -secured via password), where a compromise of the remote system (-> private -key) could also compromise the local system. +* <http://derf.homelinux.org/projects/ssh-forcecommand/> -To prevent this, you can put the forcecommand into the ssh config -(authorized_keys, to be precise), so the remote system can only execute a set -of statically defined commands. This way, compromising the local system is -made much more difficult. +Dependencies +------------ -SETUP ------ + * perl version 5.10 or newer -First, run "make install". You will now have the script in -/usr/local/lib/ssh-forcecommand. -Next, for every publickey you want to restrict to the forcecommand, add the -following line to ~/.ssh/authorized_keys: +Installation +------------ -command="/usr/local/lib/ssh-forcecommand /etc/forcecommand/foo.cfg",no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-rsa yourfunkykey +$ perl Build.PL +$ perl Build +$ sudo perl Build install -command="..." sets the forcecommand, the other options disable potentially -dangerous stuff like port forwardig (Though that is not meant to be an -exhaustive list). +By default, ssh-forcecommand is installed as /usr/local/bin/ssh-forcecommand. +In most cases, this does not make sense. For example, if you are using the +forcecommand for nagios checks, you might want to do this instead: -As you see, the forcecommand accepts exactly one argument, which is the config -defining the allowed commands. This way, you can restrict different ssh keys -to different sets of commands. For example configs, see the examples -directory. +$ sudo perl Build install --install_path script=/usr/lib/nagios +Testing +------- -USAGE ------ - -Assume you have the following line in your forcecommand config: - -home = tar -C / -cf - home - -Now, on the remote system, run this: - -ssh user@yourhost home - -On your system, this will translate to: - -tar -C / -cf - home - -The forcecommand is 100% static, variables or appending of stuff is not -supported. No part of the original ssh command will be dynamically used in -the resulting command. This makes ssh-forcecommand quite secure. +FIXME |