HELP! PAssing forced cmd parameters with secondary id key
Emily Adams
I'm interested in restricting a user's functionality upon connecting
to a remote server to only running a shell script that takes
***parameters*** from the client. In this case the parameter(s) are
the client's hostname or ip number. For brevity and safety, I have
not included fully qualified hostnames, paths, or real ip numbers, but
have tested (unsuccessfully) with everything fully qualified.
Here's what my test shell script looks like on the server:
----
#!/bin/zsh
ipNum=$1
echo Hello! This is the parameter $ipNum
----
Using OpenSSH_3.4p1, SSH protocols 1.5/2.0:
--------
UNRESTRICTED KEY PAIR>> The parameter is passed correctly.
ssh-dss AAAAB3Nza......key.....
[ichick:~] stats% ssh -i stats_ip_key remoteServer $HOME/test.sh
Hello! This is the parameter 129.79.x.x
[ichick:~] stats%
--------
--------
RESTRICTED KEY PAIR >> Understandably, the server's key strictly
enforces the fact that ONLY the command "$HOME/test.sh" is run...with
no
parameters.
command="$HOME/test.sh" ssh-dss AAAAB3N.....key....
[ichick:~] stats% ssh -i stats_ip_key remoteServer $HOME/test.sh
Hello! This is the parameter
[ichick:~] stats%
--------
--------
TESTING KEY PAIR >> this is just to show that regardless of what
command is forced, the parameters make it to the server.....
command="/bin/echo You tried to invoke $SSH_ORIGINAL_COMMAND" ssh-dss
AAAABng....key....
[ichick:~] stats% ssh -i stats_ip_key remoteServer $HOME/test.sh
You tried to invoke /Users/stats/test.sh 129.79.x.x
[ichick:~] stats%
-------
I've tried using $* in the shell script to grab anything that is
coming through the pipe. I've tried changing the restriced key to
read "command="$HOME/test.sh $1". Didn't work.
Any thoughts would be appreciated. Eventually, I would like more than
one paramater to be passed (ip, date, hostname, etc).
Thanks!
-Emily
<-><-><-><-><-><-><-><-><-><-><->
Emily K. Adams
Mac/Unix Systems Administration
UITS - Student Technology Centers
Indiana University, Bloomington
<-><-><-><-><-><-><-><-><-><-><->
John Dunlap
> to a remote server to only running a shell script that takes
> ***parameters*** from the client.
Emily,
I was curious so pursued it. The following shows how to access the
command line args.
on client:
ssh-keygen -f id_tst
[give a new passphrase]
ssh-agent bash
ssh-add id_tst
[give the passphrase for id_tst]
Commands typed on client with responses from tst.run on server:
[dunlap@client dunlap]$ ssh server xx
SSH_ORIGINAL_COMMAND=xx
[dunlap@client dunlap]$ ssh server xx yy
SSH_ORIGINAL_COMMAND=xx yy
Contents of server:tst.run:
#!/bin/sh
echo "SSH_ORIGINAL_COMMAND=$SSH_ORIGINAL_COMMAND"
The forced command line in server:.ssh/authorized_keys:
command="/home/dunlap/tst.run",from="client",no-pty,\
no-port-forwarding,no-agent-forwarding,no-X11-forwarding \
ssh-rsa AAAAB3NzaC...Y0jlWCPE= dunlap@client
Regards,
John
John Dunlap
#!/bin/bash
echo "SSH_ORIGINAL_COMMAND=$SSH_ORIGINAL_COMMAND"
set $SSH_ORIGINAL_COMMAND
echo "nwords=$#"
while [ $# -gt 0 ]
do
echo "word=$1"
shift
done
Emily Adams
Thanks!
I didn't implement $SSH_ORIGINAL_COMMAND, but by appending the first
argument after each shift I was in fact able to re-parse out the
information...
while [ $# -gt 0 ]
do
line=`echo $line $1`;shift
done
var1=`echo $line | cut -d" " -f1`
var2=`echo $line | cut -d" " -f2`
...
Somewhat clumsy, I'm sure, but it still works. I think I had higher
hopes (or misguided hopes) of what a forced command key pair could do.
Thanks again.