SSH –即使没有Shell也可以在登录时强制执行命令 [英] SSH – Force Command execution on login even without Shell
问题描述
我正在创建一个没有外壳的受限用户,仅用于端口转发,并且即使用户通过ssh -N user@host
连接,并且不要求SSH服务器提供外壳,我也需要通过pubkey在登录时执行脚本.
该脚本应在通过pubkey验证的连接上警告管理员,因此连接的用户不应跳过该脚本的执行(例如,通过与ssh -N
连接).
我尝试无济于事:
- 在
/etc/ssh/sshrc
上设置命令. - 在
.ssh/authorized_keys
中使用command ="COMMAND"(人工授权密钥) - 使用命令作为用户的shell来设置脚本. (
chsh -s /sbin/myscript.sh USERNAME
) - 匹配
/etc/ssh/sshd_config
中的用户,例如:Match User MYUSERNAME ForceCommand "/sbin/myscript.sh"
所有操作都在用户要求外壳程序时起作用,但是如果仅记录端口转发而没有外壳程序(ssh -N
),则该命令不起作用.
我是OP的作者;我得出的结论是,仅使用SSH(OpenSSH_6.9p1 Ubuntu-2, OpenSSL 1.0.2d 9 Jul 2015
)不可能实现我需要实现的目标,但是我发现了一款很棒的软件,它使用加密的SPAuthentication打开SSH端口,并且它是新版本(到目前为止)在这篇文章中,它是GitHub master分支)具有一项功能,可以始终执行用户成功授权的命令.
FWKNOP-加密的单个数据包授权
FWKNOP设置iptables规则,该规则允许在通过UDP发送的单个加密数据包上访问给定端口.然后,在授权后,它允许给定时间(例如30秒)内的授权用户访问,此后关闭端口,从而保持连接打开.
1.要在Ubuntu Linux上安装:
到目前为止,Ubuntu存储库上的当前版本(2.6.0-2.1build1)仍然不允许在成功的SPA上执行命令. (请改用GitHub上的2.6.8)
在客户端计算机上:
sudo apt-get install fwknop-client
在服务器端:
sudo apt-get install fwknop-server
此处是有关如何设置客户端和服务器计算机的教程 https://help.ubuntu.com/community/SinglePacketAuthorization
然后,设置完成后,在服务器端:
- 编辑
/etc/default/fwknop-server
- 将行
START_DAEMON="no"
更改为START_DAEMON="yes"
-
然后运行:
sudo service fwknop-server stop
sudo service fwknop-server start
2.在成功的SPA(电子邮件,推送脚本等)上警告管理员
因此,如上所述,Ubuntu存储库(2.6.0-2.1build1)中提供的当前版本无法在成功的SPA上执行命令.如果您需要从OP开始使用此功能,但它将在fwknop版本(2.6.8)中发布,如此处所述:
https://github.com/mrash/fwknop/issues/172
因此,如果您现在需要使用它,则可以从具有CMD_CYCLE_OPEN
选项的github分支母版进行构建.
3.有关fwknop的更多资源
https://help.ubuntu.com/community/SinglePacketAuthorization
https://github.com/mrash/fwknop/(GitHub上的项目)>
http://www.cipherdyne.org/fwknop/(项目站点)
I am creating a restricted user without shell for port forwarding only and I need to execute a script on login via pubkey, even if the user is connected via ssh -N user@host
which doesn't asks SSH server for a shell.
The script should warn admin on connections authenticated with pubkey, so the user connecting shouldn't be able to skip the execution of the script (e.g., by connecting with ssh -N
).
I have tried to no avail:
- Setting the command at
/etc/ssh/sshrc
. - Using command="COMMAND" in
.ssh/authorized_keys
(man authorized_keys) - Setting up a script with the command as user's shell. (
chsh -s /sbin/myscript.sh USERNAME
) - Matching user in
/etc/ssh/sshd_config
like:Match User MYUSERNAME ForceCommand "/sbin/myscript.sh"
All work when user asks for shell, but if logged only for port forwarding and no shell (ssh -N
) it doesn't work.
I am the author of the OP; I came to the conclusion that what I need to achieve is not possible using SSH only to the date (OpenSSH_6.9p1 Ubuntu-2, OpenSSL 1.0.2d 9 Jul 2015
), but I found a great piece of software that uses encrypted SPAuthentication to open SSH port and it's new version (to the date of this post, it's GitHub master branch) has a feature to execute a command always that a user authorizates successfully.
FWKNOP - Encrypted Single Packet Authorization
FWKNOP set iptables rules that allow access to given ports upon a single packet encrypted which is sent via UDP. Then after authorization it allow access for the authorized user for a given time, for example 30 seconds, closing the port after this, leaving the connection open.
1. To install on an Ubuntu linux:
The current version (2.6.0-2.1build1) on Ubuntu repositories to the date still doesn't allow command execution on successful SPA; (please use 2.6.8 from GitHub instead)
On client machine:
sudo apt-get install fwknop-client
On server side:
sudo apt-get install fwknop-server
Here is a tutorial on how to setup the client and server machines https://help.ubuntu.com/community/SinglePacketAuthorization
Then, after it is set up, on server side:
- Edit
/etc/default/fwknop-server
- Change the line
START_DAEMON="no"
toSTART_DAEMON="yes"
Then run:
sudo service fwknop-server stop
sudo service fwknop-server start
2. Warning admin on successful SPA (email, pushover script etc)
So, as stated above the current version present in Ubuntu repositories (2.6.0-2.1build1) cannot execute command on successful SPA. If you need this feature as of the OP, but it will be released at fwknop version (2.6.8), as can it is stated here:
https://github.com/mrash/fwknop/issues/172
So if you need to use it right now you can build from github branch master which have the CMD_CYCLE_OPEN
option.
3. More resources on fwknop
https://help.ubuntu.com/community/SinglePacketAuthorization
https://github.com/mrash/fwknop/ (project on GitHub)
http://www.cipherdyne.org/fwknop/ (project site)
https://www.digitalocean.com/community/tutorials/how-to-use-fwknop-to-enable-single-packet-authentication-on-ubuntu-12-04 (tutorial on DO's community)
这篇关于SSH –即使没有Shell也可以在登录时强制执行命令的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!