Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1905
  • Last Modified:

Shell Script related to $SSH_ORIGINAL_COMMAND

High level: need to force every ssh session to an interactive shell.

Nitty gritty: need a script to intercept any commands/scripts passed through ssh and force an interactive shell onto the sudo user.
0
Sanction
Asked:
Sanction
1 Solution
 
woolmilkporcCommented:
You could (as root) just authorize the user in question to run an interactive shell via sudo, e.g. "/usr/bin/bash -i".

Now this authorized user must just run:

ssh -tt target_server sudo bash -li

to get an interactive bash login shell with root privileges. Please be aware that the user will from now on act on behalf of root, with all the privileges!
Attention: The sudo log will just record the "bash -i" command but no subcommands issued from that shell.

OK, if you want to do it with "SSH_ORIGINAL_COMMAND" this implies using "ForceCommand" which in turn implies that just a single command can be run, no interactive shell will be started (unless the original command passed to the below script  is something like "bash", of course).

Here you go:

Let's assume the user in question is "userA".

Add (as root) to the very end of sshd_config at the target machine:

Match user userA
 ForceCommand /path/to/sudo_wrapper

Now create (again as root) a script "sudo_wrapper"on the target server containing something like

#!/bin/bash
/usr/bin/sudo $SSH_ORIGINAL_COMMAND

Make the script executable for the intended user, restart sshd and try it out.

Regardless of which command was given on the ssh command line, only the sudo_wrapper script will be executed. The original command is stored in the mentioned variable.
Again, if the original command starts an interactive shell only that command will be recorded in sudo's log.

Please be aware that following any of the above suggestions can/will create a security risk.
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now