SSH authorized_keys command option: multiple commands?
The authorized_keys has a command="..." option that restricts a key to a single command. Is there a way to restrict a key to multiple commands? E.g. by having a regex there, or by editing some other configuration file?
Solution 1:
No. It is not "allowed" command, but "forced" command (as ForceCommand option).
The only possibility is to use different keys for different commands or read parameters from stdin
.
Solution 2:
You can have only one command per key, because the command is “forced”.
But you can use a wrapper script. The called command gets the original command line as environment variable $SSH_ORIGINAL_COMMAND
, which it can evaluate.
E.g. put this in ~/.ssh/allowed-commands.sh
:
#!/bin/sh
#
# You can have only one forced command in ~/.ssh/authorized_keys. Use this
# wrapper to allow several commands.
case "$SSH_ORIGINAL_COMMAND" in
"systemctl restart cups")
systemctl restart cups
;;
"shutdown -r now")
shutdown -r now
;;
*)
echo "Access denied"
exit 1
;;
esac
Then reference it in ~/.ssh/authorized_keys
with
command="/home/user/.ssh/allowed-commands.sh",…
Solution 3:
In the great SSH, The Secure Shell: The Definitive Guide book by O'Reilly, in chapter eight, there is a nice example given using a script like the following:
#!/bin/sh
/bin/echo "Welcome!
Your choices are:
1 See today's date
2 See who's logged in
3 See current processes
q Quit"
/bin/echo "Your choice:"
read ans
while [ "$ans" != "q" ]
do
case "$ans" in
1)
/bin/date
;;
2)
/usr/bin/who
;;
3)
/usr/bin/top
;;
q)
/bin/echo "Goodbye"
exit 0
;;
*)
/bin/echo "Invalid choice '$ans': please try again"
;;
esac
/bin/echo "Your choice:"
read ans
done
exit 0
Using this in your .authorized_keys
file like:
command="/path/to/your/script.sh" <ssh-key>
...gives you this when doing ssh
:
Welcome!
Your choices are:
1 See today's date
2 See who's logged in
3 See current processes
q Quit
Your choice:
Solution 4:
Other approaches use e.g. a restricted shell for the given user or use a wrapper which restrains commands to al files/scripts found in a specific directory, thus allowing to augment the list of commands without changing the wrapper.
Another article describes a generic script, which also permits command line arguments to the allowed commands, but allows to lock them down with rules expressed as regular expressions.
This example would be expressed the following way:
command="only systemctl shutdown"
And an .onlyrules
files would be crafted with this content:
\:^systemctl restart cups$:{p;q}
\:^shutdown -r now$:{p;q}
The advantage of this 'only' approach is that there is no need to write individual scripts for each user and situation.