Home / server / Questions / 998446
In Process
iBug
Asked: 2020-01-11 05:02:49 +0800 CST

SSH allow arbitrary login with specified command

  • 772

One of our Git servers recently went down and we have no way to get it back up soon, so we've redirected the DNS to a dummy (placeholder) host, which when accessed via HTTP / HTTPS, sends users to our notice board with 302. I want to configure this server so any user with or without an SSH key can log in to the git user, with commands limited to a preset one that writes a message (e.g. command="echo 'a message here'",restrict).

I haven't figured out how to allow arbitrary login. (Restricting commands is easy) Any ideas? (OpenSSH 7.9p1, Debian Buster)

ssh

1 Answers

  1. There is the option ForceCommand:

    ForceCommand
    Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. Specifying a command of internal-sftp will force the use of an in-process SFTP server that requires no support files when used with ChrootDirectory. The default is none.

    There seems to be no single option matching restrict, but there are individual options to disable the features mentioned:

    restrict
    Enable all restrictions, i.e. disable port, agent and X11 forwarding, as well as disabling PTY allocation and execution of ~/.ssh/rc.

    It may be easier to create a file to use as the shell for the git user:

    #/bin/sh
echo 'a message here'
exit 1

    As every command to be executed is passed to the user`s shell this limits the commands available to the client. It is possible to interpret the intended command by the client, but not necessary for your requirements.

    • 0