From f3d0995e9078c0b6a99793a90ce6671afc756ee1 Mon Sep 17 00:00:00 2001 From: Daniel Friesel Date: Wed, 18 May 2011 13:46:45 +0200 Subject: CPANization --- README | 57 +++++++++++++++++---------------------------------------- 1 file changed, 17 insertions(+), 40 deletions(-) (limited to 'README') diff --git a/README b/README index fb54622..2089c84 100644 --- a/README +++ b/README @@ -1,52 +1,29 @@ ssh-forcecommand - Whitelist remote commands via ssh config +----------------------------------------------------------- -ssh-forcecommand is a trivial script to safely execute remote commands via -ssh. It is especially aimed at automated remote commands (so, ssh keys not -secured via password), where a compromise of the remote system (-> private -key) could also compromise the local system. +* -To prevent this, you can put the forcecommand into the ssh config -(authorized_keys, to be precise), so the remote system can only execute a set -of statically defined commands. This way, compromising the local system is -made much more difficult. +Dependencies +------------ -SETUP ------ + * perl version 5.10 or newer -First, run "make install". You will now have the script in -/usr/local/lib/ssh-forcecommand. -Next, for every publickey you want to restrict to the forcecommand, add the -following line to ~/.ssh/authorized_keys: +Installation +------------ -command="/usr/local/lib/ssh-forcecommand /etc/forcecommand/foo.cfg",no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-rsa yourfunkykey +$ perl Build.PL +$ perl Build +$ sudo perl Build install -command="..." sets the forcecommand, the other options disable potentially -dangerous stuff like port forwardig (Though that is not meant to be an -exhaustive list). +By default, ssh-forcecommand is installed as /usr/local/bin/ssh-forcecommand. +In most cases, this does not make sense. For example, if you are using the +forcecommand for nagios checks, you might want to do this instead: -As you see, the forcecommand accepts exactly one argument, which is the config -defining the allowed commands. This way, you can restrict different ssh keys -to different sets of commands. For example configs, see the examples -directory. +$ sudo perl Build install --install_path script=/usr/lib/nagios +Testing +------- -USAGE ------ - -Assume you have the following line in your forcecommand config: - -home = tar -C / -cf - home - -Now, on the remote system, run this: - -ssh user@yourhost home - -On your system, this will translate to: - -tar -C / -cf - home - -The forcecommand is 100% static, variables or appending of stuff is not -supported. No part of the original ssh command will be dynamically used in -the resulting command. This makes ssh-forcecommand quite secure. +FIXME -- cgit v1.2.3