topic Re: ssh question in Operating System - HP-UX

ssh question

Michael Murphy_2 — Wed, 10 May 2006 10:58:43 GMT

I want to set up ssh to allow a user to remotely run a command but not to actually log on to a box - is there a way to do that?

Thanks

Re: ssh question

Vipulinux — Wed, 10 May 2006 11:13:04 GMT

Hi

You cab try using: rexec

http://linux.about.com/library/cmd/blcmdl1_rexec.htm

Cheers

Re: ssh question

Sung Oh — Wed, 10 May 2006 11:26:49 GMT

Hi Michael,

you can use remsh command to run a commend line based task remotely.
http://docs.hp.com/en/B2355-90690/remsh.1.html

here is an example of remote command via ssh.
http://www.itc.virginia.edu/desktop/security/ssh.html

Regards,
Sung

Re: ssh question

Michael Murphy_2 — Wed, 10 May 2006 11:31:47 GMT

More info:

I want to be able to:
ssh "command"

but not

ssh

the latter being a login to the machine

Re: ssh question

Darrel Louis — Wed, 10 May 2006 11:34:40 GMT

Hi Michael,

I don't think it's possible, because ssh, scp and sftp all uses the same port(22).
I quess you don't want to use rcp/remsh because of the security risks.

Maybe you can check for a restricted shell, where you only allow scp, but don't know if it's possible.

Darrel

Re: ssh question

Ken Grabowski — Wed, 10 May 2006 11:40:46 GMT

Sorry to say, but no there isn't. How ever you can achieve the same results through other means.

To use ssh as an equivalent to rexec or remsh you have to assign a working shell program like /usr/bin/sh to the user account. But you can edit the .profile and add:
cleanupExit() # Declare an exit routine
{
print "Bye!"
sleep 1
exit 0
}
print "Sorry! You may not login directly into this system!"
print "Press Return to Continue"
read
cleanupExit

Put the cleanupExit at top of .profile and the rest at the bottom. ssh will still work just fine as a remote shell command, but the user can not successfully login to the system.

The only problem with this approach is if you have password aging enabled. At some point the user will have to approach you to reset their password, even if you use certificates.

Re: ssh question

Darrel Louis — Wed, 10 May 2006 11:44:03 GMT

Hi,

I've tested the following:

- Added the following to my .profile
echo " No shell Login allowed"
exit

I'm able to scp to the server and logged out when I try ssh .

You can also add "trap" codes to the .profile.

Darrel

Re: ssh question

Ninad_1 — Wed, 10 May 2006 11:44:20 GMT

Yes you can do as have mentioned with ssh

ssh hostname "command"

Please refer
http://unixhelp.ed.ac.uk/CGI/man-cgi?ssh+1
for some help.

Regards,
ninad

Re: ssh question

Josiah Henline — Wed, 10 May 2006 13:43:48 GMT

Try setting the user's shell to "/usr/bin/false" in the /etc/passwd file.

Re: ssh question

Ralph Grothe — Thu, 11 May 2006 04:16:05 GMT

Certainly it is possible to distribute so called command rsa key files which allow only the commands the distributor placed in them.

Create a new rsa (or dsa) key pair

$ ssh-keygen -t rsa -b 1024 -N "" -f ~/.ssh/id_rsa_cmd

Edit the public key of the pair and place the commands you wish to be executed in the header.

$ vi ~/.ssh/id_rsa_cmd.pub

$ dd if=~/.ssh/id_rsa_cmd.pub bs=25 count=1 2>/dev/null;echo
command="hostname;uptime"

Distribute the public key to a remote ssh host where you want this command to be run on connect.

$ ssh saz@gouda 'cat >>.ssh/authorized_keys' < ~/.ssh/id_rsa_cmd.pub

Run a login with this key

$ ssh -i ~/.ssh/id_rsa_cmd saz@gouda
gouda
11:13am up 104 days, 23:35, 1 user, load average: 1.31, 1.47, 1.53
Connection to gouda closed.

To abbreviate the invocation you could edit
~/.ssh/config
on the SSH client and add a
Host entry
with
IdentityFile ~/.ssh/id_rsa_cmd

Then you can omit the -i switch.
See "man ssh_config" for details.

Re: ssh question

Michael Kalisz — Thu, 11 May 2006 05:32:46 GMT

Check the ssh forced commands feature:

http://www.oreilly.com/catalog/sshtdg/chapter/ch08.html

//Michael