controls which commands may be executed via incoming ssh
sshdo provides an easily configurable way of controlling which commands may be executed via incoming ssh connections.
An ssh public key in a ~/.ssh/authorized_keys
file
can have a command=""
option which forces a particular command
to be executed when the key is used to authenticate an ssh
connection. This is a security control that mitigates against private key
compromise.
This is great when you only need to execute a single command. But if you need to perform multiple tasks, you would normally need to create and install a separate key pair for each command, or just not bother making use of forced commands and allow the key to be used to execute any command.
Instead, you can make sshdo act as the forced command, and when an
ssh connection tries to execute a command, sshdo will
consult the configuration files, /etc/sshdoers
and
/etc/sshdoers.d/*
, to decide whether or not the user and key
are allowed to execute the command. The requested command is only executed
if it is allowed by the configuration.
This makes it possible to use a single authorized key for any number of commands and still prevent its use for any other purpose.
You will need to identify which commands need to be allowed by each user and authorized key. To make this easy, sshdo can be put into training mode where it will allow (and log) the exeution of all commands.
After some time, sshdo can then learn from the logs and create the configuration necessary to allow the commands that were encountered during training mode.
It can also unlearn occasionally and create a new configuration that will no longer allow commands that no longer appear to be in use. This can help to maintain strict least privilege.
sshdo is freely available under the GNU General Public License Version 2 or later.
sshdo is written in Python (2.6+ or 3.3+) and should run on most systems. It assumes POSIX and an SSH server and a syslog-compatible logging system.
There is a README file etc., and two manual pages:
README.md | - | Description |
INSTALL | - | Installation, Requirements |
COPYING | - | Licence information |
CHANGELOG | - | History |
sshdo(8) |
- | controls which commands may be executed via incoming ssh (source) |
sshdoers(5) |
- | configuration file for sshdo(8) |
Latest: |
sshdo-1.1.1.tar.gz
|
(SHA256 9b22e14fec786b692e8d6431a81e9b17ad8f6e62ae5d6ef9e9c643690bf33f90 )
|
Previous: |
sshdo-1.1.tar.gz
|
(SHA256 04a36696538ddbf188f86c357c1d2eaca21b2a09dd555bae072ed8660400c75a )
|
sshdo-1.0.tar.gz
|
(SHA256 ce776dd9481bebf14127a58e2c5809f802097bafbf36a1436bf2bf053fc327ab )
|
|
sshdo-0.1.tar.gz
|
(SHA256 6f0e210db84473b3c459c13c75843a0ee28751b6e342ae18bccf8dc840400213 )
|