SSH authorized_keys command option: multiple commands?

ssh command

The authorized_keys has a command="..." option that restricts a key to a single command. Is there a way to restrict a key to multiple commands? E.g. by having a regex there, or by editing some other configuration file?


Solution 1:

No. It is not "allowed" command, but "forced" command (as ForceCommand option).

The only possibility is to use different keys for different commands or read parameters from stdin.

Solution 2:

You can have only one command per key, because the command is “forced”.

But you can use a wrapper script. The called command gets the original command line as environment variable $SSH_ORIGINAL_COMMAND, which it can evaluate.

E.g. put this in ~/.ssh/allowed-commands.sh:

#!/bin/sh
#
# You can have only one forced command in ~/.ssh/authorized_keys. Use this
# wrapper to allow several commands.

case "$SSH_ORIGINAL_COMMAND" in
    "systemctl restart cups")
        systemctl restart cups
        ;;
    "shutdown -r now")
        shutdown -r now
        ;;
    *)
        echo "Access denied"
        exit 1
        ;;
esac

Then reference it in ~/.ssh/authorized_keys with

command="/home/user/.ssh/allowed-commands.sh",…

Solution 3:

In the great SSH, The Secure Shell: The Definitive Guide book by O'Reilly, in chapter eight, there is a nice example given using a script like the following:

#!/bin/sh

/bin/echo "Welcome!
Your choices are:
1       See today's date
2       See who's logged in
3       See current processes
q       Quit"

/bin/echo "Your choice:"

read ans

while [ "$ans" != "q" ]
do
   case "$ans" in
      1)
         /bin/date
         ;;
      2)
         /usr/bin/who
         ;;
      3)
         /usr/bin/top
         ;;
      q)
         /bin/echo "Goodbye"
         exit 0
         ;;
      *)
         /bin/echo "Invalid choice '$ans': please try again"
         ;;
   esac
   /bin/echo "Your choice:"
   read ans
done
exit 0

Using this in your .authorized_keys file like:

command="/path/to/your/script.sh" <ssh-key>

...gives you this when doing ssh:

Welcome!
Your choices are:
1       See today's date
2       See who's logged in
3       See current processes
q       Quit
Your choice:

Solution 4:

Other approaches use e.g. a restricted shell for the given user or use a wrapper which restrains commands to al files/scripts found in a specific directory, thus allowing to augment the list of commands without changing the wrapper.

Another article describes a generic script, which also permits command line arguments to the allowed commands, but allows to lock them down with rules expressed as regular expressions.

This example would be expressed the following way:

command="only systemctl shutdown"

And an .onlyrules files would be crafted with this content:

\:^systemctl restart cups$:{p;q}
\:^shutdown -r now$:{p;q}

The advantage of this 'only' approach is that there is no need to write individual scripts for each user and situation.

Related

I just did a chmod -x chmod
RSA certificate configured for SERVER does NOT include an ID which matches the server name
Windows serial console
The strange case of Mr. Time To First Byte
choosing the right SSL certificate
How practical is it to authenticate a Linux server against AD?
number of nginx worker processes
What are the IUSR and IWAM accounts for in IIS?
Trying to get SSH with public key (no password) + google authenticator working on Ubuntu 14.04.1
How to display interface in tcpdump output flow?
Alternative Remote Desktop Software
What kinds of security vulnerabilities does providing DNSSEC expose?