InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more

Menu
  • Home
  • Sitemap

Python Programming Language Best Tutorials and Code Examples

Learn Python Right Now!
Home
Bash
Restricting SSH Commands in bash
Bash

Restricting SSH Commands in bash

InfinityCoder April 3, 2017

You’d like to restrict what an incoming SSH user or script can do.*

Edit the ~/.ssh/authorized_keys file, use SSH forced commands, and optionally disable unnecessary SSH features.

For example, suppose you want to allow an rsync process without also allowing interactive use.
First, you need to figure out exactly what command is being run on the remote side.
Create a key and add a forced command to tell you.

Edit the ~/.ssh/authorized_keys file and add:

1
command="/bin/echo Command was: $SSH_ORIGINAL_COMMAND"

before the key. It will look something like this, all on one line:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
command="/bin/echo Command was: $SSH_ORIGINAL_COMMAND" ssh-dss
AAAAB3NzaC1kc3MAAAEBANpgvvTslst2m0ZJA0ayhh1Mqa3aWwU3kfv0m9+myFZ9veFsxM7IVxIjWfAlQh3jp
lY+Q78fMzCTiG+ZrGZYn8adZ9yg5/
wAC03KXm2vKt8LfTx6I+qkMR7v15NI7tZyhxGah5qHNehReFWLuk7JXCtRrzRvWMdsHc/
L2SA1Y4fJ9Y9FfVlBdE1Er+ZIuc5xIlO6D1HFjKjt3wjbAal+oJxwZJaupZ0Q7N47uwMslmc5ELQBRNDsaoqF
RKlerZASPQ5P+AH/+Cxa/fCGYwsogXSJJ0H5S7+QJJHFze35YZI/
+A1D3BIa4JBf1KvtoaFr5bMdhVAkChdAdMjo96xhbdEAAAAVAJSKzCEsrUo3KAvyUO8KVD6e0B/NAAAA/3u/
Ax2TIB/M9MmPqjeH67Mh5Y5NaVWuMqwebDIXuvKQQDMUU4EPjRGmS89Hl8UKAN0Cq/C1T+OGzn4zrbE06CO/
Sm3SRMP24HyIbElhlWV49sfLR05Qmh9fRl1s7ZdcUrxkDkr2J6on5cMVB9M2nIl90IhRVLd5RxP01u81yqvhv
E61ORdA6IMjzXcQ8ebuD2R733O37oGFD7e2O7DaabKKkHZIduL/zFbQkzMDK6uAMP8ylRJN0fUsqIhHhtc//
16OT2H6nMU09MccxZTFUfqF8xIOndElP6um4jXYk5Q30i/CtU3TZyvNeWVwyGwDi4wg2jeVe0YHU2Rh/
ZcZpwAAAQEAv2O86701U9sIuRijp8sO4h13eZrsE5rdn6aul/mkm+xAlO+WQeDXR/
ONm9BwVSrNEmIJB74tEJL3qQTMEFoCoN9Kp00Ya7Qt8n4gZ0vcZlI5u+cgyd1mKaggS2SnoorsRlb2Lh/
Hpe6mXus8pUTf5QT8apgXM3TgFsLDT+3rCt40IdGCZLaP+UDBuNUSKfFwCru6uGoXEwxaL08Nv1wZOc19qrc0
Yzp7i33m6i3a0Z9Pu+TPHqYC74QmBbWq8U9DAo+7yhRIhq/
fdJzk3vIKSLbCxg4PbMwx2Qfh4dLk+L7wOasKnl5//W+RWBUrOlaZ1ZP1/azsK0Ncygno/0F1ew== This is
my new key

Now execute your command and see what the result is.

1
2
$ ssh remote_host 'ls -l /etc'
Command was: ls -l /etc

Now, the problem with this approach is that it will break a program like rsync that depends on having the STDOUT/STDIN channel all to itself.

1
2
3
4
$ rsync -avzL -e ssh remote_host:/etc .
protocol version mismatch -- is your shell clean?
(see the rsync man page for an explanation)
rsync error: protocol incompatibility (code 2) at compat.c(64)

But we can work around that by modifying our forced command as follows:

1
command="/bin/echo Command was: $SSH_ORIGINAL_COMMAND >> ~/ssh_command"

So on the client side we try again:

1
2
3
$ rsync -avzL -e ssh 192.168.99.56:/etc .
rsync: connection unexpectedly closed (0 bytes received so far) [receiver]
rsync error: error in rsync protocol data stream (code 12) at io.c(420)

And on the remote host side we now have:

1
2
$ cat ../ssh_command
Command was: rsync --server --sender -vlLogDtprz . /etc

So we can update our forced command as necessary.
Two other things we can do are to set a from host restriction and disable SSH commands.

The host restriction specifies the hostname or IP address of the source host.

Disabling commands is also pretty intuitive:

1
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty

So when we put it all together, it looks like this (still all on one giant line):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,from="local_
client",command="rsync --server --sender -vlLogDtprz . /etc" ssh-dss
AAAAB3NzaC1kc3MAAAEBANpgvvTslst2m0ZJA0ayhh1Mqa3aWwU3kfv0m9+myFZ9veFsxM7IVxIjWfAlQh3jp
lY+Q78fMzCTiG+ZrGZYn8adZ9yg5/
wAC03KXm2vKt8LfTx6I+qkMR7v15NI7tZyhxGah5qHNehReFWLuk7JXCtRrzRvWMdsHc/
L2SA1Y4fJ9Y9FfVlBdE1Er+ZIuc5xIlO6D1HFjKjt3wjbAal+oJxwZJaupZ0Q7N47uwMslmc5ELQBRNDsaoqF
RKlerZASPQ5P+AH/+Cxa/fCGYwsogXSJJ0H5S7+QJJHFze35YZI/
+A1D3BIa4JBf1KvtoaFr5bMdhVAkChdAdMjo96xhbdEAAAAVAJSKzCEsrUo3KAvyUO8KVD6e0B/NAAAA/3u/
Ax2TIB/M9MmPqjeH67Mh5Y5NaVWuMqwebDIXuvKQQDMUU4EPjRGmS89Hl8UKAN0Cq/C1T+OGzn4zrbE06CO/
Sm3SRMP24HyIbElhlWV49sfLR05Qmh9fRl1s7ZdcUrxkDkr2J6on5cMVB9M2nIl90IhRVLd5RxP01u81yqvhv
E61ORdA6IMjzXcQ8ebuD2R733O37oGFD7e2O7DaabKKkHZIduL/zFbQkzMDK6uAMP8ylRJN0fUsqIhHhtc//
16OT2H6nMU09MccxZTFUfqF8xIOndElP6um4jXYk5Q30i/CtU3TZyvNeWVwyGwDi4wg2jeVe0YHU2Rh/
ZcZpwAAAQEAv2O86701U9sIuRijp8sO4h13eZrsE5rdn6aul/mkm+xAlO+WQeDXR/
ONm9BwVSrNEmIJB74tEJL3qQTMEFoCoN9Kp00Ya7Qt8n4gZ0vcZlI5u+cgyd1mKaggS2SnoorsRlb2Lh/
Hpe6mXus8pUTf5QT8apgXM3TgFsLDT+3rCt40IdGCZLaP+UDBuNUSKfFwCru6uGoXEwxaL08Nv1wZOc19qrc0
Yzp7i33m6i3a0Z9Pu+TPHqYC74QmBbWq8U9DAo+7yhRIhq/
fdJzk3vIKSLbCxg4PbMwx2Qfh4dLk+L7wOasKnl5//W+RWBUrOlaZ1ZP1/azsK0Ncygno/0F1ew== This is
my new key

If you have any problems with ssh, the -v option is very helpful. ssh -v or ssh -v -v
will almost always give you at least a clue about what’s going wrong.

Give them a try when things are working to get an idea of what their output looks like.
If you’d like to be a little more open about what the key can and can’t do, look into
the OpenSSH Restricted Shell rssh (http://www.pizzashack.org/rssh/), which supports scp, sftp, rdist, rsync, and cvs.
You’d think restrictions like these would be very easy, but it turns out they are not.
The problem has to do with the way SSH (and the r-commands before it) actually
work.

It’s a brilliant idea and it works very well, except that it’s hard to limit.

To vastly oversimplify it, you can think of SSH as connecting your local STDOUT to
STDIN on the remote side and the remote STDOUT to your local STDIN.

So all things like scp or rsync do is stream bytes from the local machine to the remote machine as if over a pipe.

But that very flexibility precludes SSH from being able to restrict interactive access while allowing scp.

There’s no difference. And that’s why you can’t put lots of echo and debugging statements in your bash configuration files  that output will intermingle with the byte stream and cause havoc.
So how does rssh work? It provides a wrapper that you use instead of a default login
shell (like bash) in /etc/passwd.

That wrapper determines what it will and will not allow, but with much more flexibility than a plain old SSH-restricted command.

 

Share
Tweet
Email
Prev Article
Next Article

Related Articles

Getting Yes or No Input in bash
You need to get a simple yes or no input …

Getting Yes or No Input in bash

Shortening or Changing Command Names
You’d like to shorten a long or complex command you …

Shortening or Changing Command Names

About The Author

InfinityCoder
InfinityCoder

Leave a Reply

Cancel reply

Recent Tutorials InfinityQuest

  • Adding New Features to bash Using Loadable Built-ins in bash
    Adding New Features to bash Using Loadable …
    June 27, 2017 0
  • Getting to the Bottom of Things in bash
    Getting to the Bottom of Things in …
    June 27, 2017 0

Recent Comments

  • fer on Turning a Dictionary into XML in Python
  • mahesh on Turning a Dictionary into XML in Python

Categories

  • Bash
  • PHP
  • Python
  • Uncategorized

InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more

About Us

Start learning your desired programming language with InfinityQuest.com.

On our website you can access any tutorial that you want with video and code examples.

We are very happy and honored that InfinityQuest.com has been listed as a recommended learning website for students.

Popular Tags

binary data python CIDR convert string into datetime python create xml from dict python dictionary into xml python how to create xml with dict in Python how to write binary data in Python IP Address read binary data python tutorial string as date object python string to datetime python

Archives

  • June 2017
  • April 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
Copyright © 2021 InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more
Programming Tutorials | Sitemap