Pages

Friday, 3 February 2012

Restricting SSH commands

SSH is a powerful tool. When combined with ssh keys, it becomes easy to automate remote procedures like backups. However leaving key access wide open can be a bad idea. It is possible to use restrict ssh keys to specific commands, even coming from specific hosts. There is this nice little perl script called Authprogs that makes this somewhat easier. Ill show you how to use authprogs for an automated rsync over ssh.
First you need to generate your ssh key using ssh-keygen

ssh-keygen -t dsa -C "Backup Key" -f ~/.ssh/backup_key -P ""

I have specified a dsa key with the comment of “Backup Key” to your .ssh directory with an empty passphrase since we are going to be using this to do something automattically.
Lets go ahead and copy that key to the remote server using ssh-copy-id.

ssh-copy-id -i ~/.ssh/backup_key backup_user@remote-server

Your backup_user can be whatever user will have rights to access the data you want to rsync.
Go ahead and ssh into the remote server using the key to test it, and while we are there lets setup authprogs. If your going to use your root user here please consider using the ssh directive “PermitRootLogin forced-commands-only” in your /etc/ssh/sshd_config

ssh -i ~/.ssh/backup_key backup_user@remote-server
mkdir -p bin
cd bin
wget http://www.hackinglinuxexposed.com/tools/authprogs/src/authprogs
chmod a+rx authprogs
cd ~/.ssh
vim authorized_keys

Now you should have a line in your authorized keys that ends in “Backup Key”, its the key we created and installed with ssh-copy-id. We want to add no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command=”/home/backup_user/bin/authprogs”. Your file should look similar to this.

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command=
"/home/backup_user/bin/authprogs" ssh-dss AAAAB3NzaC1kc3MAAACBAOjv4TL4EbQ
Nl2hNjW80+9tjM/w9hYD/ESgw3UZb+t+K55hXwQtG14hm80ORGK1kk6AN+Ja4r/B5UeU
Zq05HKfT9l3V03rRpDbCRuQgb3ibLNVeER5FOChHK7nrGugwisVjYSN7Chnx6cWlc9iCpt9
tiVJExM83QwerjDugMPPB7AAAAFQC7f4cXnYnvgd19I+HXxZAIdxDpOQAAAIArswVuIXu
GFg1RzrA0C8iUlJHPtKP6MhZzkkWhN/HTVX4oiL4C4tq09MwdIQovozjFN9wRh/p1Pt1B4h
jikgdRvDx1xYfiOcAQk3pPVFq2kFVl3IRklDBpnB6T9eAjLEHZ3Ab0c7CQndoku1ylpG6MzQ
MWjmpfNTQp0R9+VMqrDAAAAIAw0HrCe5w7qYbS3FZjKjCfN2J1yDYHsJR22bYo2c15C9
9t7OObzfrmhNN8mVEE4BlYV8RVV1nO+i6lBmGCkHZXcdXp7TeXT1KPOhzvFYIvZrmi1YG
EDVDQ7JdabyN4RlWsQETXJNKR+byw+uz4CVGu4FR5Ew2KjtQEFCZgD54Ayg== Backup Key

It should be all one long line! We did turn off some additional SSH features that the key does not need access too. Go ahead and run the rsync command from your client machine.

rsync --rsh="ssh -i ~/.ssh/backup_key" -logptr backup_user@remote-server:/var/backup backup

You should get an error something like You’re not allowed to run ‘rsync –server –sender -logtpr . /var/backup/’ Thats becasue we have yet to setup the authprogs.conf file. You can see the same information on the remote server /home/backup_user/authprogs.log file. We just need to add our authprogs.conf so put the following on the remote server in /home/backup_user/.ssh/authprogs.conf

# The hostname command is allowed from any host
[ ALL ]
hostname # allow multiple machines by listing them together
[ 111.222.333.444 ]
rsync --server --sender -logtpr . /var/backup/
Now if you run your rsync command again it should succeed

rsync --rsh="ssh -i ~/.ssh/backup_key" -logptr backup_user@remote-server:/var/backup backup
*In the event that authprogs is not available above I have provided a copy of it here. Please try to fetch it from hackinglinuxexposed if at all possible.Authprogs 



from http://www.cmdln.org/2008/02/11/restricting-ssh-commands/

No comments:

Post a Comment