ssh_keyfile_restrict_commands

SSH Commands einschränken via Keyfile-Auth

SSH bietet in den authorized_keys meherere Optionen. Unter anderem ein einschränken der Kommandos. Siehe entsprechende Doku:

man sshd
AUTHORIZED_KEYS FILE FORMAT
     AuthorizedKeysFile specifies the files containing public keys for public key authentication; if this option is not specified, the default is ~/.ssh/authorized_keys and
     ~/.ssh/authorized_keys2.  Each line of the file contains one key (empty lines and lines starting with a ‘#’ are ignored as comments).
     
(...)

command="command"
             Specifies that the command is executed whenever this key is used for authentication.  The command supplied by the user (if any) is ignored.  The command is run on a pty if the
             client requests a pty; otherwise it is run without a tty.  If an 8-bit clean channel is required, one must not request a pty or should specify no-pty.  A quote may be included
             in the command by quoting it with a backslash.
(...)
from="pattern-list"
             Specifies that in addition to public key authentication, either the canonical name of the remote host or its IP address must be present in the comma-separated list of patterns.
             See PATTERNS in ssh_config(5) for more information on patterns.
(...)
no-port-forwarding
             Forbids TCP forwarding when this key is used for authentication.  Any port forward requests by the client will return an error.  This might be used, e.g. in connection with the
             command option.
no-X11-forwarding
             Forbids X11 forwarding when this key is used for authentication.  Any X11 forward requests by the client will return an error.
(...)
restrict
             Enable all restrictions, i.e. disable port, agent and X11 forwarding, as well as disabling PTY allocation and execution of ~/.ssh/rc.  If any future restriction capabilities
             are added to authorized_keys files they will be included in this set.
  • Rsync wie z.B. “rsync -a /local-folder user@remote-host:/remote-folder” benötigt kein SFTP sondern “rsync –server” dass es via SSH aufruft auf der Gegenseite
  • Möchte man ein sicheres Backup ohne Zugriffsmöglichkeiten auf den “remote-host”, kann man die Commands einschränken
  • Ausgeführtes Command kann herausgefunden werden via “rsync -ae 'ssh -v' /local-folder user@remote-host:/remote-folder”
    • “debug: Sending command: rsync –server ….” ist das kommando dass erlaubt werden muss

Beispiel

/home/user/.ssh/authorized_keys
from="192.168.0.1",command="rsync --server ....",restrict ssh-rsa AA10923809218309...
  • ssh_keyfile_restrict_commands.txt
  • Last modified: 2017/02/20 12:30
  • by brot