Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Shell Script related to $SSH_ORIGINAL_COMMAND

Posted on 2014-03-08
1
Medium Priority
?
1,833 Views
Last Modified: 2014-03-13
High level: need to force every ssh session to an interactive shell.

Nitty gritty: need a script to intercept any commands/scripts passed through ssh and force an interactive shell onto the sudo user.
0
Comment
Question by:Sanction
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 2000 total points
ID: 39915054
You could (as root) just authorize the user in question to run an interactive shell via sudo, e.g. "/usr/bin/bash -i".

Now this authorized user must just run:

ssh -tt target_server sudo bash -li

to get an interactive bash login shell with root privileges. Please be aware that the user will from now on act on behalf of root, with all the privileges!
Attention: The sudo log will just record the "bash -i" command but no subcommands issued from that shell.

OK, if you want to do it with "SSH_ORIGINAL_COMMAND" this implies using "ForceCommand" which in turn implies that just a single command can be run, no interactive shell will be started (unless the original command passed to the below script  is something like "bash", of course).

Here you go:

Let's assume the user in question is "userA".

Add (as root) to the very end of sshd_config at the target machine:

Match user userA
 ForceCommand /path/to/sudo_wrapper

Now create (again as root) a script "sudo_wrapper"on the target server containing something like

#!/bin/bash
/usr/bin/sudo $SSH_ORIGINAL_COMMAND

Make the script executable for the intended user, restart sshd and try it out.

Regardless of which command was given on the ssh command line, only the sudo_wrapper script will be executed. The original command is stored in the mentioned variable.
Again, if the original command starts an interactive shell only that command will be recorded in sudo's log.

Please be aware that following any of the above suggestions can/will create a security risk.
0

Featured Post

Create CentOS 7 Newton Packstack Running Keystone

A bug was filed against RDO for the installation of Keystone v3. This guide is designed to walk you through the configuration for using Keystone v3 with Packstack. You will accomplish this using various repos and the Answers file.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question