diff options
Diffstat (limited to 'bin/ssh-forcecommand')
| -rwxr-xr-x | bin/ssh-forcecommand | 91 |
1 files changed, 91 insertions, 0 deletions
diff --git a/bin/ssh-forcecommand b/bin/ssh-forcecommand new file mode 100755 index 0000000..c1b37eb --- /dev/null +++ b/bin/ssh-forcecommand @@ -0,0 +1,91 @@ +#!/usr/bin/env perl +use strict; +use warnings; + +my $conffile = shift or die("Usage: $0 <configfile>\n"); +my %commands; +my $input = $ENV{'SSH_ORIGINAL_COMMAND'} or die("No command\n");; + +my $VERSION = '0.0'; + +open(my $conf, '<', $conffile) or die("Can't open $conffile: $!\n"); + +while (my $line = <$conf>) { + my ($key, $value) = ($line =~ m{ ^ ([^=]+?) \s* = \s* (.+) $ }x); + if ($key and $value) { + $commands{$key} = $value; + } +} +close($conf) or die("Cannot close $conffile: $!\n"); + +if (exists $commands{$input}) { + exec($commands{$input}); + exit 1; +} + +die("Unknown command\n"); + +__END__ + +=head1 NAME + +ssh-forcecommand - Whitelist remote commands via ssh config + +=head1 SYNOPSIS + +In .ssh/authorized_keys: + + command="/usr/local/lib/ssh-forcecommand /etc/forcecommand/backup",no-agent-forwarding,no-port- + forwarding,no-pty,no-X11-forwarding $key + +=head1 DESCRIPTION + +B<ssh-forcecommand> is a trivial script to safely execute remote commands via +ssh. It is especially aimed at automated remote commands (so, ssh keys not +secured via password), where a compromise of the remote system (-> private +key) could also compromise the local system. + +To prevent this, you can put the forcecommand into the ssh config +(authorized_keys, to be precise), so the remote system can only execute a set +of statically defined commands. This way, compromising the local system is +made much more difficult. + +=head1 CONFIGURATION + +For every public key you want to restrict to the forcecommand, add a line like +in SYNOPSIS to the F<.ssh/authorized_keys>. + +command="..." sets the forcecommand, the other options disable potentially +dangerous stuff like port forwardig (Though that is not meant to be an +exhaustive list). + +As you see, the forcecommand accepts exactly one argument, which is the config +defining the allowed commands. This way, you can restrict different ssh keys +to different sets of commands. A few example configs are provided with this +script, see the examples directory. + +=head1 USAGE + +Assume you have the following line in your forcecommand config: + + home = tar -C / -cf - home + +Now, on the remote system, run this: + + ssh user@yourhost home + +On your system, this will translate to: + + tar -C / -cf - home + +The forcecommand is 100% static, variables or appending of stuff is not +supported. No part of the original ssh command will be dynamically used in +the resulting command. This makes ssh-forcecommand quite secure. + +=head1 AUTHOR + +Copyright (C) 2011 by Daniel Friesel E<gt>derf@finalrewind.orgE<lt> + +=head1 LICENSE + + 0. You just DO WHAT THE FUCK YOU WANT TO. |