Shell Script related to $SSH_ORIGINAL_COMMAND

High level: need to force every ssh session to an interactive shell.

Nitty gritty: need a script to intercept any commands/scripts passed through ssh and force an interactive shell onto the sudo user.
Who is Participating?
woolmilkporcConnect With a Mentor Commented:
You could (as root) just authorize the user in question to run an interactive shell via sudo, e.g. "/usr/bin/bash -i".

Now this authorized user must just run:

ssh -tt target_server sudo bash -li

to get an interactive bash login shell with root privileges. Please be aware that the user will from now on act on behalf of root, with all the privileges!
Attention: The sudo log will just record the "bash -i" command but no subcommands issued from that shell.

OK, if you want to do it with "SSH_ORIGINAL_COMMAND" this implies using "ForceCommand" which in turn implies that just a single command can be run, no interactive shell will be started (unless the original command passed to the below script  is something like "bash", of course).

Here you go:

Let's assume the user in question is "userA".

Add (as root) to the very end of sshd_config at the target machine:

Match user userA
 ForceCommand /path/to/sudo_wrapper

Now create (again as root) a script "sudo_wrapper"on the target server containing something like


Make the script executable for the intended user, restart sshd and try it out.

Regardless of which command was given on the ssh command line, only the sudo_wrapper script will be executed. The original command is stored in the mentioned variable.
Again, if the original command starts an interactive shell only that command will be recorded in sudo's log.

Please be aware that following any of the above suggestions can/will create a security risk.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.