Restricting SSH commands

SSH is a pow­er­ful tool. When com­bined with ssh keys, it becomes easy to auto­mate remote pro­ce­dures like back­ups. How­ever leav­ing key access wide open can be a bad idea. It is pos­si­ble to use restrict ssh keys to spe­cific com­mands, even com­ing from spe­cific hosts. There is this nice lit­tle perl script called Auth­progs that makes this some­what eas­ier. Ill show you how to use auth­progs for an auto­mated rsync over ssh.
First you need to gen­er­ate your ssh key using ssh-keygen

ssh-keygen -t dsa -C "Backup Key" -f ~/.ssh/backup_key -P ""

I have spec­i­fied a dsa key with the com­ment of “Backup Key” to your .ssh direc­tory with an empty passphrase since we are going to be using this to do some­thing automat­ti­cally.
Lets go ahead and copy that key to the remote server using ssh-copy-id.

ssh-copy-id -i ~/.ssh/backup_key backup_user@remote-server

Your backup_user can be what­ever user will have rights to access the data you want to rsync.
Go ahead and ssh into the remote server using the key to test it, and while we are there lets setup auth­progs. If your going to use your root user here please con­sider using the ssh direc­tive “Per­mit­Root­Lo­gin forced-commands-only” in your /etc/ssh/sshd_config

ssh -i ~/.ssh/backup_key backup_user@remote-server
mkdir -p bin
cd bin
chmod a+rx authprogs
cd ~/.ssh
vim authorized_keys

Now you should have a line in your autho­rized keys that ends in “Backup Key”, its the key we cre­ated and installed with ssh-copy-id. We want to add no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command=”/home/backup_user/bin/authprogs”. Your file should look sim­i­lar to this.

"/home/backup_user/bin/authprogs" ssh-dss AAAAB3NzaC1kc3MAAACBAOjv4TL4EbQ
EDVDQ7JdabyN4RlWsQETXJNKR+byw+uz4CVGu4FR5Ew2KjtQEFCZgD54Ayg== Backup Key

It should be all one long line! We did turn off some addi­tional SSH fea­tures that the key does not need access too. Go ahead and run the rsync com­mand from your client machine.

rsync --rsh="ssh -i ~/.ssh/backup_key" -logptr backup_user@remote-server:/var/backup backup

You should get an error some­thing like You’re not allowed to run ‘rsync –server –sender –logtpr . /var/backup/’ Thats beca­sue we have yet to setup the authprogs.conf file. You can see the same infor­ma­tion on the remote server /home/backup_user/authprogs.log file. We just need to add our authprogs.conf so put the fol­low­ing on the remote server in /home/backup_user/.ssh/authprogs.conf

# The hostname command is allowed from any host
[ ALL ]
hostname # allow multiple machines by listing them together
[ 111.222.333.444 ]
rsync --server --sender -logtpr . /var/backup/
Now if you run your rsync command again it should succeed

rsync --rsh="ssh -i ~/.ssh/backup_key" -logptr backup_user@remote-server:/var/backup backup
*In the event that authprogs is not available above I have provided a copy of it here. Please try to fetch it from hackinglinuxexposed if at all possible.Authprogs


Leave a Reply

Your email is never shared.Required fields are marked *

To submit your comment, click the image below where it asks you to...
Clickcha - The One-Click Captcha