$ uname -r
4.17.0-1-amd64
# aptitude show openssh-server
Package: openssh-server
Version: 1:7.7p1-3
[SNIP]
I am having trouble getting 1 and only 1 command to be authorized via ssh. I was supposed to put $SHELL after ./suspend but I forgot. That doesn't matter because it should have rejected the script "test" anyway. I changed ./suspend to ./test, copied the actual file suspend to test (a script that contains the command 'beep'). Then I logged in and executed test. It worked. It's not supposed to work.
What am I doing wrong?
I've made my own guide from the links below:
links:Must be passwordless for that user. This means you have to copy the keys manually to the other machine. If it's a phone app usually the app allows you to browse for the private key. Both private and public keys should be copied and imported into the app. After delete the destination files you copied manually so they arn't lying around in a globally accessible folder.
1. setup the linux user.
2. run ssh-keygen to make the keys (they should be id_rsa* - 2 files)
3.In the sshd_config file add this at the end to stop password access for said user:
Match User user1
PasswordAuthentication no
4. copy "id_rsa.pub" to "authorized_keys" manually (I know of no tool that does this)
5. prepend the options to the file so it kind of looks like this template:
command="./nuke",no-port-forwarding,no-x11-forwarding,no-agent-forwarding KEY_TYPE KEY COMMENT
6. monkey around with copying the key files to your phone (FTP server / filezilla) and importing it in the application (SSH button on android in this case).
https://research.kudelskisecurity.com/2 ... e-command/
https://serverfault.com/questions/28580 ... some-users
https://www.ibm.com/support/knowledgece ... thkeyf.htm
sshd_config:
Code: Select all
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# my stuff
Match User peter
PasswordAuthentication no
Code: Select all
command="./suspend",no-port-forwarding,no-x11-forwarding,no-agent-forwarding ssh-rsa AAAA[SNIP] peter@enlil