Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

[SOLVED] buster sshd limit user to 1 command

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
sombunall
Posts: 73
Joined: 2009-05-20 20:36

[SOLVED] buster sshd limit user to 1 command

#1 Post by sombunall »

OS: buster (testing)

$ uname -r
4.17.0-1-amd64

# aptitude show openssh-server
Package: openssh-server
Version: 1:7.7p1-3
[SNIP]


I am having trouble getting 1 and only 1 command to be authorized via ssh. I was supposed to put $SHELL after ./suspend but I forgot. That doesn't matter because it should have rejected the script "test" anyway. I changed ./suspend to ./test, copied the actual file suspend to test (a script that contains the command 'beep'). Then I logged in and executed test. It worked. It's not supposed to work.

What am I doing wrong?

I've made my own guide from the links below:
Must be passwordless for that user. This means you have to copy the keys manually to the other machine. If it's a phone app usually the app allows you to browse for the private key. Both private and public keys should be copied and imported into the app. After delete the destination files you copied manually so they arn't lying around in a globally accessible folder.

1. setup the linux user.

2. run ssh-keygen to make the keys (they should be id_rsa* - 2 files)

3.In the sshd_config file add this at the end to stop password access for said user:
Match User user1
PasswordAuthentication no

4. copy "id_rsa.pub" to "authorized_keys" manually (I know of no tool that does this)

5. prepend the options to the file so it kind of looks like this template:
command="./nuke",no-port-forwarding,no-x11-forwarding,no-agent-forwarding KEY_TYPE KEY COMMENT

6. monkey around with copying the key files to your phone (FTP server / filezilla) and importing it in the application (SSH button on android in this case).
links:
https://research.kudelskisecurity.com/2 ... e-command/
https://serverfault.com/questions/28580 ... some-users
https://www.ibm.com/support/knowledgece ... thkeyf.htm


sshd_config:

Code: Select all

ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem   sftp    /usr/lib/openssh/sftp-server

# my stuff
Match User peter
    PasswordAuthentication no

my line in authorized_keys (snipped). ./suspend is supposed to have $SHELL after it.

Code: Select all

command="./suspend",no-port-forwarding,no-x11-forwarding,no-agent-forwarding ssh-rsa AAAA[SNIP] peter@enlil
Last edited by sombunall on 2018-08-01 22:29, edited 2 times in total.

sombunall
Posts: 73
Joined: 2009-05-20 20:36

Re: buster sshd limit user to 1 command

#2 Post by sombunall »

I also tried putting authorized_keys to permission 600 like debian.org says but it changes nothing. It works with 644 also with seemingly no difference at all. Hmm.

sombunall
Posts: 73
Joined: 2009-05-20 20:36

Re: buster sshd limit user to 1 command

#3 Post by sombunall »

Found the problem. It turns out it doesn't matter what command you put in the phone app / ssh command line! You can leave it blank. It just executes that one command regardless. DOH!

PS:
ALSO if you want multiple commands there is this (https://serverfault.com/questions/74947 ... e-commands):
You can have only one command per key, because the command is “forced”.

But you can use a wrapper script. The called command gets the original command line as environment variable $SSH_ORIGINAL_COMMAND, which it can evaluate.

E.g. put this in ~/.ssh/allowed-commands.sh:

Code: Select all

#!/bin/sh
#
# You can have only one forced command in ~/.ssh/authorized_keys. Use this
# wrapper to allow several commands.

case "$SSH_ORIGINAL_COMMAND" in
    "systemctl restart cups")
        systemctl restart cups
        ;;
    "shutdown -r now")
        shutdown -r now
        ;;
    *)
        echo "Access denied"
        exit 1
        ;;
esac
Then reference it in ~/.ssh/authorized_keys with

command="/home/user/.ssh/allowed-commands.sh",…

Post Reply