Solved

Shell Script related to $SSH_ORIGINAL_COMMAND

Posted on 2014-03-08
1
1,601 Views
Last Modified: 2014-03-13
High level: need to force every ssh session to an interactive shell.

Nitty gritty: need a script to intercept any commands/scripts passed through ssh and force an interactive shell onto the sudo user.
0
Comment
Question by:Sanction
1 Comment
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 39915054
You could (as root) just authorize the user in question to run an interactive shell via sudo, e.g. "/usr/bin/bash -i".

Now this authorized user must just run:

ssh -tt target_server sudo bash -li

to get an interactive bash login shell with root privileges. Please be aware that the user will from now on act on behalf of root, with all the privileges!
Attention: The sudo log will just record the "bash -i" command but no subcommands issued from that shell.

OK, if you want to do it with "SSH_ORIGINAL_COMMAND" this implies using "ForceCommand" which in turn implies that just a single command can be run, no interactive shell will be started (unless the original command passed to the below script  is something like "bash", of course).

Here you go:

Let's assume the user in question is "userA".

Add (as root) to the very end of sshd_config at the target machine:

Match user userA
 ForceCommand /path/to/sudo_wrapper

Now create (again as root) a script "sudo_wrapper"on the target server containing something like

#!/bin/bash
/usr/bin/sudo $SSH_ORIGINAL_COMMAND

Make the script executable for the intended user, restart sshd and try it out.

Regardless of which command was given on the ssh command line, only the sudo_wrapper script will be executed. The original command is stored in the mentioned variable.
Again, if the original command starts an interactive shell only that command will be recorded in sudo's log.

Please be aware that following any of the above suggestions can/will create a security risk.
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question