Restrict a set of remote commands to execute with ssh+bash+sudo

Publicado: abril 15, 2010 en linux/unix, script, trick
Etiquetas:, , , , , , , , , ,

Sometimes we need to allow some users to remotelly execute commands in a server via ssh, but we want to restrict the commands to execute. There are some solutions around, like restricted shell or wrappers, but we can implement a simply solution using bash and sudo.

The idea is to use the restricted shell functionality in bash. We will simply:

  • Create a new user for this prupose
  • Asign it a script that will restrict the $PATH variable
  • Link there the needed commands (or create scripts that call sudo)
  • Set asymetric keys in ssh.

Here you have all commands for Linux or AIX, but it will work anyway (except the creation of the user).

# You have to set this variables before execute any command
# ---------------------------------------------------
# If we will use sudo for commands or only links
USE_SUDO=yes
# User restricted and commands to link or sudo
RESTRICTED_USER=jailuser
RESTRICTED_COMMANDS="
/somepath/somecommand1
/somepath/somecommand1
/somepath/somecommand1
"
# Remote host where execute commands
REMOTE_HOST=ahost
# final user to execute commands (sudo)
DEST_USER=arealuser
# ---------------------------------------------------



case `uname` in
AIX)
# Add shell script as new user
chsec -f /etc/security/login.cfg -s usw -a shells=$(lssec -f /etc/security/login.cfg -s usw -a shells | cut -f 2 -d =),/home/$RESTRICTED_USER/bin/rbash
mkdir /home/$RESTRICTED_USER/bin

# Create user
mkuser groups=sshcon maxexpired=-1 loginretries=-1 $RESTRICTED_USER

# Do not need to change password
pwdadm -c $RESTRICTED_USER
;;
# At this moment only debian
Linux)
adduser –shell /home/$RESTRICTED_USER/bin/rbash –disabled-password –no-create-home $RESTRICTED_USER
;;
esac

# Create shell script for restricted mode
cat >/home/$RESTRICTED_USER/bin/rbash <<EOF
#!/usr/bin/bash -e
export PATH=/home/$RESTRICTED_USER/bin
f=\$1
if [ “\$1” != “” ]; then
shift
exec /bin/bash \$f “\$*”
else
exec /bin/bash \$*
fi
EOF
chmod +x /home/$RESTRICTED_USER/bin/rbash

# Configure the commands
if [ “$USE_SUDO” == “yes” ]
# Sudoers
for i in $RESTRICTED_COMMANDS; do
[ “$sudocmd” ] || sudocmd=“NOPASSWD:$i” && sudocmd=“$sudocmd,NOPASSWD:$i”
done
sudocmd=“$RESTRICTED_USER ALL=($DEST_USER) $sudocmd”
echo “Add this line to /etc/sudoers: ‘$sudocmd'”

for i in $RESTRICTED_COMMANDS; do
cmdfile=$(basename $i)
cat > /home/$RESTRICTED_USER/bin/$cmdfile <<EOF
#!/bin/sh
exec sudo -u $DEST_USER $i \$@
EOF
chmod +x /home/$RESTRICTED_USER/bin/$cmdfile
done

else
# Link commands
ln -sf $RESTRICTED_COMMANDS /home/$RESTRICTED_USER/bin/
fi

Optionally, in origin server, we create a key and the adapters commands. We can create a common script and link to it the other commands.

# Create key
ssh-keygen -i rsa_id

# Define commands
cat > .$RESTRICTED_USER.$REMOTE_HOST.cmd <<EOF
#!/bin/sh
ssh -T -o IdentitiesOnly yes -o StrictHostKeyChecking=no -i id_rsa \
    $RESTRICTED_USER@$REMOTE_HOST \$(basename \$0) \$@
EOF
for i in $RESTRICTED_COMMANDS; do
    cmdfile=$(basename $i)
    ln -s .$RESTRICTED_USER.$REMOTE_HOST.cmd $cmdfile
done

Finally we add the public key in destination server

mkdir /home/$RESTRICTED_USER/.ssh
cat > /home/$RESTRICTED_USER/.ssh/authorized_keys <<EOF
<here goes your public key id_rsa.pub>
EOF
chown -R $RESTRICTED_USER /home/$RESTRICTED_USER/.ssh

Easy, isn’t it?

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s