Forcible Command Execution With ssh
One of the nice things that you can do with ssh is get it to forcibly execute specific commands for a user and ignore anything else that the user has passed on the command line. This is a fully documented feature of the authorized_keys file. But let's be realistic, how many folks actually read the full man pages.
Getting this feature to work isn't hard, so here's how you do it.
Firstly all the users that are to be restricted must generate their own public/private key pair, here's an example for generating dsa keys.
tim@server:~$ ssh-keygen -t rsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/tim/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/tim/.ssh/id_rsa
Your public key has been saved in /home/tim/.ssh/id_rsa.pub
The key fingerprint is:
a3:de:97:59:2c:48:e4:1a:28:fb:91:0e:a1:4d:aa:fb tim@server
tim@server:~$
The contents of .ssh looks like the following:
tim@server:~$ ls -l .ssh
total 8
-rw------- 1 tim tim 744 2009-05-17 18:55 id_rsa
-rw-r--r-- 1 tim tim 600 2009-05-17 18:55 id_rsa.pub
tim@server:~$
The contents of the public key file .ssh/id_rsa.pub must now be copied to the server where we want the command to be executed. As part of this process we must also configure the server's authorized_keys file to the specific command to be executed. In this example we force user tim coming from a client to always execute who to see who is logged onto a remote machine.
On the server we have configured root's .ssh/authorized_keys file for the above example:
root@tims-acer:~/.ssh# cat authorized_keys
command="who" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtQf1IH7SchRSlrvvyAGG9okaMy3nVitoL8yS5
0qOAATk/sgFlScaxdXrOiw3t6/rDLBYP56gtVMFIZa/
AABnLqNuqyg/3TCyU62YoPDgQVdnBgrBaIrYlBv4dvUUo45
LRzd4WCPgkVYZqjqIZAPnVV8doMcBPMP4eWpEjAA07gzYVVvIFDe6jGcCRI
jM9zz5BoScV01e/n7b+GfztJK56s/hwbHl93s2Beh5xy0lcAEq0ykjhtCTG
uUTHRKp7P153JaxTt9M010b8qFZv6HjxT+OtZmRzQ8INWIqj
V6wnnzuMdu5RaDFo3764UAuN9q894tTuyzbW3m1KJ5XIT+AFQ== tim@server
It is important to note that the public key information is one single line in the authorized_keys file. It has been split over multiple lines in this example for readability.
The key thing to note for the public key is the command="who" segment at the start. This informs sshd that it must execute the who command for the user who this public key belongs to - in this example tim@server.
Here's what happens when we connect from a client machine:
tim@server:~/.ssh$ ssh root@192.168.2.1
tim tty7 2009-05-17 09:17 (:0)
tim pts/0 2009-05-17 19:03 (server.local)
tim pts/1 2009-05-17 19:05 (192.168.2.1)
root pts/2 2009-05-17 19:15 (server)
Connection to 192.168.2.1 closed.
Now this is what happens when we attempt to execute a command using ssh:
tim@server:~/.ssh$ ssh root@192.168.2.1 ls -l /tmp
tim tty7 2009-05-17 09:17 (:0)
tim pts/0 2009-05-17 19:03 (server.local)
tim pts/1 2009-05-17 19:05 (192.168.2.1)
tim@server:~/.ssh$
sshd ignores, as expected, any command that the user might specify and only executes the who command.