SSH –即使没有Shell也可以在登录时强制执行命令 [英] SSH – Force Command execution on login even without Shell

问题描述

我正在创建一个没有外壳的受限用户，仅用于端口转发，并且即使用户通过ssh -N user@host连接，并且不要求SSH服务器提供外壳，我也需要通过pubkey在登录时执行脚本.

该脚本应在通过pubkey验证的连接上警告管理员，因此连接的用户不应跳过该脚本的执行(例如，通过与ssh -N连接).

我尝试无济于事:

• 在/etc/ssh/sshrc上设置命令.
• 在.ssh/authorized_keys中使用command ="COMMAND"(人工授权密钥)
• 使用命令作为用户的shell来设置脚本. (chsh -s /sbin/myscript.sh USERNAME)
• 匹配/etc/ssh/sshd_config中的用户，例如: Match User MYUSERNAME ForceCommand "/sbin/myscript.sh"

所有操作都在用户要求外壳程序时起作用，但是如果仅记录端口转发而没有外壳程序(ssh -N)，则该命令不起作用.

解决方案

我是OP的作者；我得出的结论是，仅使用SSH(OpenSSH_6.9p1 Ubuntu-2, OpenSSL 1.0.2d 9 Jul 2015)不可能实现我需要实现的目标，但是我发现了一款​​很棒的软件，它使用加密的SPAuthentication打开SSH端口，并且它是新版本(到目前为止)在这篇文章中，它是GitHub master分支)具有一项功能，可以始终执行用户成功授权的命令.

FWKNOP-加密的单个数据包授权

FWKNOP设置iptables规则，该规则允许在通过UDP发送的单个加密数据包上访问给定端口.然后，在授权后，它允许给定时间(例如30秒)内的授权用户访问，此后关闭端口，从而保持连接打开.

1.要在Ubuntu Linux上安装:

到目前为止，Ubuntu存储库上的当前版本(2.6.0-2.1build1)仍然不允许在成功的SPA上执行命令. (请改用GitHub上的2.6.8)

在客户端计算机上:

sudo apt-get install fwknop-client

在服务器端:

sudo apt-get install fwknop-server

此处是有关如何设置客户端和服务器计算机的教程 https://help.ubuntu.com/community/SinglePacketAuthorization

然后，设置完成后，在服务器端:

1. 编辑/etc/default/fwknop-server
2. 将行START_DAEMON="no"更改为START_DAEMON="yes"

3. 然后运行:

   sudo service fwknop-server stop

   sudo service fwknop-server start

2.在成功的SPA(电子邮件，推送脚本等)上警告管理员

因此，如上所述，Ubuntu存储库(2.6.0-2.1build1)中提供的当前版本无法在成功的SPA上执行命令.如果您需要从OP开始使用此功能，但它将在fwknop版本(2.6.8)中发布，如此处所述:

https://github.com/mrash/fwknop/issues/172

因此，如果您现在需要使用它，则可以从具有CMD_CYCLE_OPEN选项的github分支母版进行构建.

3.有关fwknop的更多资源

https://help.ubuntu.com/community/SinglePacketAuthorization

https://github.com/mrash/fwknop/(GitHub上的项目)

http://www.cipherdyne.org/fwknop/(项目站点)

https://www.digitalocean.com/community/tutorials/how-to-use-fwknop-to-enable-single-packet-authentication-on-ubuntu-12-04 (有关DO社区)

I am creating a restricted user without shell for port forwarding only and I need to execute a script on login via pubkey, even if the user is connected via ssh -N user@host which doesn't asks SSH server for a shell.

The script should warn admin on connections authenticated with pubkey, so the user connecting shouldn't be able to skip the execution of the script (e.g., by connecting with ssh -N).

I have tried to no avail:

• Setting the command at /etc/ssh/sshrc.
• Using command="COMMAND" in .ssh/authorized_keys (man authorized_keys)
• Setting up a script with the command as user's shell. (chsh -s /sbin/myscript.sh USERNAME)
• Matching user in /etc/ssh/sshd_config like: Match User MYUSERNAME ForceCommand "/sbin/myscript.sh"

All work when user asks for shell, but if logged only for port forwarding and no shell (ssh -N) it doesn't work.

解决方案

I am the author of the OP; I came to the conclusion that what I need to achieve is not possible using SSH only to the date (OpenSSH_6.9p1 Ubuntu-2, OpenSSL 1.0.2d 9 Jul 2015), but I found a great piece of software that uses encrypted SPAuthentication to open SSH port and it's new version (to the date of this post, it's GitHub master branch) has a feature to execute a command always that a user authorizates successfully.

FWKNOP - Encrypted Single Packet Authorization

FWKNOP set iptables rules that allow access to given ports upon a single packet encrypted which is sent via UDP. Then after authorization it allow access for the authorized user for a given time, for example 30 seconds, closing the port after this, leaving the connection open.

1. To install on an Ubuntu linux:

The current version (2.6.0-2.1build1) on Ubuntu repositories to the date still doesn't allow command execution on successful SPA; (please use 2.6.8 from GitHub instead)

On client machine:

sudo apt-get install fwknop-client

On server side:

sudo apt-get install fwknop-server

Here is a tutorial on how to setup the client and server machines https://help.ubuntu.com/community/SinglePacketAuthorization

Then, after it is set up, on server side:

1. Edit /etc/default/fwknop-server
2. Change the line START_DAEMON="no" to START_DAEMON="yes"

3. Then run:

   sudo service fwknop-server stop

   sudo service fwknop-server start

2. Warning admin on successful SPA (email, pushover script etc)

So, as stated above the current version present in Ubuntu repositories (2.6.0-2.1build1) cannot execute command on successful SPA. If you need this feature as of the OP, but it will be released at fwknop version (2.6.8), as can it is stated here:

https://github.com/mrash/fwknop/issues/172

So if you need to use it right now you can build from github branch master which have the CMD_CYCLE_OPEN option.

3. More resources on fwknop

https://help.ubuntu.com/community/SinglePacketAuthorization

https://github.com/mrash/fwknop/ (project on GitHub)

http://www.cipherdyne.org/fwknop/ (project site)

https://www.digitalocean.com/community/tutorials/how-to-use-fwknop-to-enable-single-packet-authentication-on-ubuntu-12-04 (tutorial on DO's community)

这篇关于SSH –即使没有Shell也可以在登录时强制执行命令的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！