[SOLVED] buster sshd limit user to 1 command

Kernels & Hardware, configuring network, installing services

[SOLVED] buster sshd limit user to 1 command

Postby sombunall » 2018-08-01 22:09

OS: buster (testing)

$ uname -r

# aptitude show openssh-server
Package: openssh-server
Version: 1:7.7p1-3

I am having trouble getting 1 and only 1 command to be authorized via ssh. I was supposed to put $SHELL after ./suspend but I forgot. That doesn't matter because it should have rejected the script "test" anyway. I changed ./suspend to ./test, copied the actual file suspend to test (a script that contains the command 'beep'). Then I logged in and executed test. It worked. It's not supposed to work.

What am I doing wrong?

I've made my own guide from the links below:

Must be passwordless for that user. This means you have to copy the keys manually to the other machine. If it's a phone app usually the app allows you to browse for the private key. Both private and public keys should be copied and imported into the app. After delete the destination files you copied manually so they arn't lying around in a globally accessible folder.

1. setup the linux user.

2. run ssh-keygen to make the keys (they should be id_rsa* - 2 files)

3.In the sshd_config file add this at the end to stop password access for said user:
Match User user1
PasswordAuthentication no

4. copy "id_rsa.pub" to "authorized_keys" manually (I know of no tool that does this)

5. prepend the options to the file so it kind of looks like this template:
command="./nuke",no-port-forwarding,no-x11-forwarding,no-agent-forwarding KEY_TYPE KEY COMMENT

6. monkey around with copying the key files to your phone (FTP server / filezilla) and importing it in the application (SSH button on android in this case).

https://research.kudelskisecurity.com/2 ... e-command/
https://serverfault.com/questions/28580 ... some-users
https://www.ibm.com/support/knowledgece ... thkeyf.htm


Code: Select all
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem   sftp    /usr/lib/openssh/sftp-server

# my stuff
Match User peter
    PasswordAuthentication no

my line in authorized_keys (snipped). ./suspend is supposed to have $SHELL after it.
Code: Select all
command="./suspend",no-port-forwarding,no-x11-forwarding,no-agent-forwarding ssh-rsa AAAA[SNIP] peter@enlil
Last edited by sombunall on 2018-08-01 22:29, edited 2 times in total.
Posts: 73
Joined: 2009-05-20 20:36

Re: buster sshd limit user to 1 command

Postby sombunall » 2018-08-01 22:20

I also tried putting authorized_keys to permission 600 like debian.org says but it changes nothing. It works with 644 also with seemingly no difference at all. Hmm.
Posts: 73
Joined: 2009-05-20 20:36

Re: buster sshd limit user to 1 command

Postby sombunall » 2018-08-01 22:29

Found the problem. It turns out it doesn't matter what command you put in the phone app / ssh command line! You can leave it blank. It just executes that one command regardless. DOH!

ALSO if you want multiple commands there is this (https://serverfault.com/questions/74947 ... e-commands):
You can have only one command per key, because the command is “forced”.

But you can use a wrapper script. The called command gets the original command line as environment variable $SSH_ORIGINAL_COMMAND, which it can evaluate.

E.g. put this in ~/.ssh/allowed-commands.sh:

Code: Select all
# You can have only one forced command in ~/.ssh/authorized_keys. Use this
# wrapper to allow several commands.

    "systemctl restart cups")
        systemctl restart cups
    "shutdown -r now")
        shutdown -r now
        echo "Access denied"
        exit 1

Then reference it in ~/.ssh/authorized_keys with

Posts: 73
Joined: 2009-05-20 20:36

Return to System configuration

Who is online

Users browsing this forum: No registered users and 11 guests