发表新帖
发表新帖

SSH – Force Command execution on login even without Shell

后端 未结
关注
4 1653
粉色の甜心
粉色の甜心 2021-01-31 20:39

I am creating a restricted user without shell for port forwarding only and I need to execute a script on login via pubkey, even if the user is connected via ssh -N user@ho

4条回答
  • 爱一瞬间的悲伤
    爱一瞬间的悲伤 (楼主)
    2021-01-31 21:37

    I am the author of the OP; I came to the conclusion that what I need to achieve is not possible using SSH only to the date (OpenSSH_6.9p1 Ubuntu-2, OpenSSL 1.0.2d 9 Jul 2015), but I found a great piece of software that uses encrypted SPAuthentication to open SSH port and it's new version (to the date of this post, it's GitHub master branch) has a feature to execute a command always that a user authorizates successfully.

    FWKNOP - Encrypted Single Packet Authorization

    FWKNOP set iptables rules that allow access to given ports upon a single packet encrypted which is sent via UDP. Then after authorization it allow access for the authorized user for a given time, for example 30 seconds, closing the port after this, leaving the connection open.

    1. To install on an Ubuntu linux:

    The current version (2.6.0-2.1build1) on Ubuntu repositories to the date still doesn't allow command execution on successful SPA; (please use 2.6.8 from GitHub instead)

    On client machine:

    sudo apt-get install fwknop-client

    On server side:

    sudo apt-get install fwknop-server

    Here is a tutorial on how to setup the client and server machines https://help.ubuntu.com/community/SinglePacketAuthorization

    Then, after it is set up, on server side:

    1. Edit /etc/default/fwknop-server
    2. Change the line START_DAEMON="no" to START_DAEMON="yes"

    3. Then run:

      sudo service fwknop-server stop

      sudo service fwknop-server start

    2. Warning admin on successful SPA (email, pushover script etc)

    So, as stated above the current version present in Ubuntu repositories (2.6.0-2.1build1) cannot execute command on successful SPA. If you need this feature as of the OP, but it will be released at fwknop version (2.6.8), as can it is stated here:

    https://github.com/mrash/fwknop/issues/172

    So if you need to use it right now you can build from github branch master which have the CMD_CYCLE_OPEN option.

    3. More resources on fwknop

    https://help.ubuntu.com/community/SinglePacketAuthorization

    https://github.com/mrash/fwknop/ (project on GitHub)

    http://www.cipherdyne.org/fwknop/ (project site)

    https://www.digitalocean.com/community/tutorials/how-to-use-fwknop-to-enable-single-packet-authentication-on-ubuntu-12-04 (tutorial on DO's community)

    0 讨论(0)
 看不清?
提交回复
热议问题