Escalated predefined ssh scripts to remote computer implemetation

Question

The problem is that I want to run certain ssh commands (Or scripts) from computerA to computerB without using a password.

Examples:

ssh apple@computerB 'poweroff'
ssh apple@computerB "killall firefox; systemctl enable apache; firefox"
ssh apple@computerB < superscript.txt

I also want to do this as secure as I can get it. I should not be able to ssh to computerB if I simply open up a terminal. And obviously not be able to edit the scripts/programs and run them afterwards.

I was thinking about using SUID and a different user with ssh keys to access the computer but there are security concerns regarding SUID and interpreted scripts.

Do anyone have any suggestions?

Probably better to have keys with force-commands specified. See https://ctrlnotes.com/restrict-a-user-to-ssh-forced-command/ for examples. — Toby Speight, Apr 20 '21 at 08:27

score 0 · Accepted Answer · answered Apr 20 '21 at 08:54

Rather than having SUID programs on the SSH host, it's better to connect as a user with the required privileges, but to bind a specific command to that key.

We do that in the target user's .ssh/authorized_keys file. For example,

command="poweroff" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJQwKcn2AJxNpuzRM/SfJLn0UEXCMmAmI2Xdqeng4nB9 saft@home

If we want to use one of several commands, we can use a script that interprets $SSH_ORIGINAL_COMMAND appropriately:

#!/bin/sh

case "$SSH_ORIGINAL_COMMAND" in
  poweroff)
    exec poweroff
    ;;
  firefox)
    killall firefox; systemctl enable apache; exec firefox
    ;;
  *)
    printf '%s\n' >&2 \
        "Unrecognised command `$SSH_ORIGINAL_COMMAND'" \
        'Valid commands are:' \
        ' * poweroff' \
        ' * firefox'
    exit 1
    ;;
esac

Escalated predefined ssh scripts to remote computer implemetation

1 Answers1