Home / server / Questions / 407497
Accepted
andrew
Asked: 2012-07-14 04:53:49 +0800 CST

How do I configure SSHd to permit a single command, without giving full login access to the user?

  • 772

I am looking for best way to call remote command over SSH. I create user 'rpcall', generate new certificate and fill authorized_keys. Secure it little bit more with

from="ip",no-agent-forwarding,no-X11-forwarding,no-port-forwarding,no-pty ssh-rsa ......

now user rpcall can't login to terminal

ssh -l rpc 192.168.12.1
PTY allocation request failed on channel 0

but it is possible to run any command

ssh -l rpc 192.168.12.1 cat /etc/passwd

Is there any solution i can limit command execution only to one processing script? For example /home/rpcall/bin/command.sh

I setuped bash shell for this user and using .bashrc force run processing script, but i don't know how to pass parameters from ssh call.

.bashrc for user rpcall

/home/rpcall/bin/command.sh $params1 $params2
exit

ssh call from other machine

ssh -l rpcall 192.168.12.1 "param1" "param2"
ssh remote exec

1 Answers

  1. Best Answer

    You can restrict commands using the authorized_keys file. Put command="/home/rpcall/bin/command.sh" before the key, in the authorized_keys file, and the user will only ever run that command when they connect.

    Check the man page for authorized_keys, this is from that man page,

     command="command"
         Specifies that the command is executed whenever this key is used
         for authentication.  The command supplied by the user (if any) is
         ignored.  The command is run on a pty if the client requests a
         pty; otherwise it is run without a tty.  If an 8-bit clean chan-
         nel is required, one must not request a pty or should specify
         no-pty.  A quote may be included in the command by quoting it
         with a backslash.  This option might be useful to restrict cer-
         tain public keys to perform just a specific operation.  An exam-
         ple might be a key that permits remote backups but nothing else.
         Note that the client may specify TCP and/or X11 forwarding unless
         they are explicitly prohibited.  The command originally supplied
         by the client is available in the SSH_ORIGINAL_COMMAND environ-
         ment variable.  Note that this option applies to shell, command
         or subsystem execution.

    If you need more than one command, you need to basically set up several sets of keys and use different keys to give you different commands.

    Edit: I just noticed, the original command is available in the SSH_ORIGINAL_COMMAND environment variable, so you could indeed handle that input using your own script, doing something clever.

    • 19