joeyh.name_comments_ikiwiki.rss.xml - sfeed_tests - sfeed tests and RSS and Atom files
(HTM) git clone git://git.codemadness.org/sfeed_tests
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) README
(DIR) LICENSE
---
joeyh.name_comments_ikiwiki.rss.xml (7296B)
---
1 <?xml version="1.0"?>
2 <rss version="2.0"
3 xmlns:dc="http://purl.org/dc/elements/1.1/"
4 xmlns:dcterms="http://purl.org/dc/terms/"
5 xmlns:atom="http://www.w3.org/2005/Atom">
6 <channel>
7 <title>blog/entry/locking down ssh authorized keys</title>
8 <link>http://joeyh.name/blog/entry/locking_down_ssh_authorized_keys/</link>
9 <atom:link href="http://joeyh.name/blog/entry/locking_down_ssh_authorized_keys/comments.rss" rel="self" type="application/rss+xml"/>
10
11 <description>joey</description>
12 <generator>ikiwiki</generator>
13 <pubDate>Mon, 22 Apr 2019 22:31:01 -0400</pubDate>
14 <item>
15 <title>comment 1</title>
16
17 <guid isPermaLink="false">http://joeyh.name/blog/entry/locking_down_ssh_authorized_keys/comment_1/</guid>
18
19 <link>http://joeyh.name/blog/entry/locking_down_ssh_authorized_keys/#comment-3e24a7e432c5e3262457ced6e73dad2d</link>
20
21 <dc:creator>svend [myopenid.com]</dc:creator>
22
23
24 <pubDate>Tue, 13 Jan 2009 16:25:34 -0500</pubDate>
25 <dcterms:modified>2009-01-13T21:25:34Z</dcterms:modified>
26
27
28 <description><blockquote><p>(I also tried the simpler command="git-shell -c $SSH_ORIGINAL_COMMAND"; but it didn't work with alioth's old version of openssh, and I didn't want to worry about exposing SSHORIGINALCOMMAND to the shell.)</p></blockquote>
29
30 <p>I found that <code>command="git shell -c \"$SSH_ORIGINAL_COMMAND\""</code> works.</p>
31
32 <p><code>command="git shell -c $SSH_ORIGINAL_COMMAND"</code> doesn't work because <code>$SSH_ORIGINAL_COMMAND</code> will contain spaces and git-shell will see too many arguments and throw the error: "fatal: What do you think I am? A shell?".</p>
33
34 </description>
35
36
37 </item>
38 <item>
39 <title>Limiting shell access to multiple </title>
40
41 <guid isPermaLink="false">http://joeyh.name/blog/entry/locking_down_ssh_authorized_keys/comment_2_9ab226f97ba77b3a56a51a9fdc253ab2/</guid>
42
43 <link>http://joeyh.name/blog/entry/locking_down_ssh_authorized_keys/#comment-6764e3a7935308940fcfe4fad0e772c5</link>
44
45 <dc:creator>Galen</dc:creator>
46
47
48 <pubDate>Wed, 30 Jan 2013 02:12:13 -0500</pubDate>
49 <dcterms:modified>2013-01-30T07:12:16Z</dcterms:modified>
50
51
52 <description><p>Since git 1.7.4, you can extend git-shell with custom commands by placing executables in ~/git-shell-commands (see the <a href="http://git-scm.com/docs/git-shell/1.7.4">git-shell</a> man page for details). The user must have read and execute permissions on this directory and (as with all commands) execute permission on the executables. According to user mimrock in answer to his "<a href="http://stackoverflow.com/q/14460967/90527">Custom commands with git-shell</a>" question, these commands only work in interactive mode as of 1.7.10. For earlier and later versions of git, you can use a shell script to run commands in git-shell-commands in non-interactive mode:</p>
53
54 <pre><code>#!/bin/bash
55
56 cmdline=($1)
57 cmd=$(basename "${cmdline[0]}")
58
59 if [ -z "$cmd" ] ; then
60 exec git-shell
61 elif [ -n "$cmd" -a -x ~/git-shell-commands/"$cmd" ] ; then
62 ~/git-shell-commands/"$cmd" "${cmdline[@]:1}"
63 else
64 exec git-shell -c "$1"
65 fi
66 </code></pre>
67
68 <p>Use this in place of git-shell in the authorize_keys "command" option. Invocation is basically the same as for git-shell. Assuming the script is named "sshsh", and following svend's example, we have:</p>
69
70 <pre><code>command="sshsh \"$SSH_ORIGINAL_COMMAND\"" ...
71 </code></pre>
72
73 <p>If you'd rather not require <code>$SSH_ORIGINAL_COMMAND</code> to be quoted, use the following script:</p>
74
75 <pre><code>#!/bin/bash
76
77 cmd=$(basename $1)
78
79 if [ -z "$cmd" ] ; then
80 exec git-shell
81 elif [ -n "$cmd" -a -x ~/git-shell-commands/"$cmd" ] ; then
82 shift
83 ~/git-shell-commands/"$cmd" "$@"
84 else
85 exec git-shell -c "$*"
86 fi
87 </code></pre>
88
89 <p>The authorized_key entry then becomes:</p>
90
91 <pre><code>command="sshsh $SSH_ORIGINAL_COMMAND" ...
92 </code></pre>
93
94 <p>Any other commands you wish to allow through ssh can be created within ~/git-shell-commands as links or scripts. For example, to allow rsync as well as git:</p>
95
96 <pre><code>$ ln -s $(which rsync) ~/git-shell-commands/
97 </code></pre>
98
99 </description>
100
101
102 </item>
103 <item>
104 <title>With unison</title>
105
106 <guid isPermaLink="false">http://joeyh.name/blog/entry/locking_down_ssh_authorized_keys/comment_3_0a9e26f4882326f822388833ea8e1d49/</guid>
107
108 <link>http://joeyh.name/blog/entry/locking_down_ssh_authorized_keys/#comment-a185ffdee7b234bf5bb47971870ea40b</link>
109
110 <dc:creator>cassou</dc:creator>
111
112
113 <pubDate>Wed, 12 Sep 2018 04:56:25 -0400</pubDate>
114 <dcterms:modified>2018-09-12T08:56:26Z</dcterms:modified>
115
116
117 <description><p>Add that to your authorized_keys file on the host to restrict usage of the key to unison:</p>
118
119 <pre><code># Look at manpage sshd(8) for more information on options
120 command="unison -server",restrict ssh-rsa ...the key...
121 </code></pre>
122
123 </description>
124
125
126 </item>
127 <item>
128 <title>sshdo</title>
129
130 <guid isPermaLink="false">http://joeyh.name/blog/entry/locking_down_ssh_authorized_keys/comment_4_daa16632d108bdfdec87ddc252772659/</guid>
131
132 <link>http://joeyh.name/blog/entry/locking_down_ssh_authorized_keys/#comment-e3611febc22585e0e2fb2e0da7287e3d</link>
133
134 <dc:creator>joeyh</dc:creator>
135
136
137 <pubDate>Mon, 22 Apr 2019 22:31:00 -0400</pubDate>
138 <dcterms:modified>2019-04-23T02:31:01Z</dcterms:modified>
139
140
141 <description><p>[Disclosure: I wrote sshdo which is described below]</p>
142
143 <p>There's a program called sshdo for doing this. It controls which commands may be executed via incoming ssh connections. It's available for download at:</p>
144
145 <pre><code>http://raf.org/sshdo/ (read manual pages here)
146 https://github.com/raforg/sshdo/
147 </code></pre>
148
149 <p>It has a training mode to allow all commands that are attempted, and a --learn option to produce the configuration needed to allow learned commands permanently. Then training mode can be turned off and any other commands will not be executed.</p>
150
151 <p>It also has an --unlearn option to stop allowing commands that are no longer in use so as to maintain strict least privilege as requirements change over time.</p>
152
153 <p>It is very fussy about what it allows. It won't allow a command with any arguments. Only complete shell commands can be allowed.</p>
154
155 <p>But it does support simple patterns to represent similar commands that vary only in the digits that appear on the command line (e.g. sequence numbers or date/time stamps).</p>
156
157 <p>It's like a firewall or whitelisting control for ssh commands.</p>
158
159 </description>
160
161
162 </item>
163
164 </channel>
165 </rss>