Solved

Shell Script related to $SSH_ORIGINAL_COMMAND

Posted on 2014-03-08
1
1,696 Views
Last Modified: 2014-03-13
High level: need to force every ssh session to an interactive shell.

Nitty gritty: need a script to intercept any commands/scripts passed through ssh and force an interactive shell onto the sudo user.
0
Comment
Question by:Sanction
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 39915054
You could (as root) just authorize the user in question to run an interactive shell via sudo, e.g. "/usr/bin/bash -i".

Now this authorized user must just run:

ssh -tt target_server sudo bash -li

to get an interactive bash login shell with root privileges. Please be aware that the user will from now on act on behalf of root, with all the privileges!
Attention: The sudo log will just record the "bash -i" command but no subcommands issued from that shell.

OK, if you want to do it with "SSH_ORIGINAL_COMMAND" this implies using "ForceCommand" which in turn implies that just a single command can be run, no interactive shell will be started (unless the original command passed to the below script  is something like "bash", of course).

Here you go:

Let's assume the user in question is "userA".

Add (as root) to the very end of sshd_config at the target machine:

Match user userA
 ForceCommand /path/to/sudo_wrapper

Now create (again as root) a script "sudo_wrapper"on the target server containing something like

#!/bin/bash
/usr/bin/sudo $SSH_ORIGINAL_COMMAND

Make the script executable for the intended user, restart sshd and try it out.

Regardless of which command was given on the ssh command line, only the sudo_wrapper script will be executed. The original command is stored in the mentioned variable.
Again, if the original command starts an interactive shell only that command will be recorded in sudo's log.

Please be aware that following any of the above suggestions can/will create a security risk.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory replication delay is the cause to many problems.  Here is a super easy script to force Active Directory replication to all sites with by using an elevated PowerShell command prompt, and a tool to verify your changes.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question