Hi Gordon,
I experimented a little because I was teased by your wee problem.
I came up with this poor man's "wrapper" one can devise with just the standard SSH features, and that at least works in our environment.
You may want to give it a try if it works with your settings as well.
Yes, it proved right that PermitRootLogin has to be enabled for anything to work.
But then I thought about the options in authorized_keys and had a little read in man sshd
So I did the following.
First I set these for the sshd where I want this to work
# grep ^Permit /opt/ssh/etc/sshd_config
PermitRootLogin yes
PermitUserEnvironment yes
Then I sent sshd a SIGHUP to make these settings valid
# kill -1 $(cat /var/run/sshd.pid)
Then on the sshd server I wrote this little script in root's $HOME/.ssh
(even needs not be executable)
# cat ~root/.ssh/rc
if [[ $KICKOUT_GRACE != 1 ]]; then
export UNIX95=
ppid=$(ps -o ppid= -p $$)
until [[ $ppid = 1 ]]; do
set -- $(ps -o pid= -o ppid= -p $ppid)
sshd_pid=$pid
pid=$1; ppid=$2
done
kill $sshd_pid
#ps -fp $sshd_pid|mailx -s test ralph.grothe@our-rotten.com
fi
On the ssh client side I generated a new DSA key (you may as well use RSA as cipher, I cling to DSA for patent reasons) under the account that needs to run nothing but root commands on the sshd server that I prepared above.
$ ssh-keygen -t dsa -b 1024 -N "" -f .ssh/id_dsa_root_gouda
I saved it to a separat file not to confuse with my other keys.
Then I edited the public key of this pair and prepended the following options to that key
$ sed 's/^\(.*\) ssh-dss.*/\1/' .ssh/id_dsa_root_gouda.pub
environment="KICKOUT_GRACE=1",command="/usr/bin/hostname && /usr/bin/uptime"
I then copied this public key file to gouda and appended it to root's authorized_keys
$ ssh root@gouda cat \>\>.ssh/authorized_keys < .ssh/id_dsa_root_gouda.pub
Now who ever tries an ssh login or remote command who doesn't posses the specially prepared DSA key gets kicked out.
But when I use this key I can run the commands specified in the command options.
e.g.
$ ssh root@gouda hostname\;who
Password:
Connection to gouda closed by remote host.
From another host
# ssh gouda
Password:
Last login: Fri Jan 21 15:15:07 2005 from themis.srz.lit.
Connection to gouda closed by remote host.
Connection to gouda closed.
But using the DSA key
$ ssh root@gouda -i .ssh/id_dsa_root_gouda
gouda
3:18pm up 74 days, 18:04, 4 users, load average: 0.55, 0.58, 0.60
Connection to gouda closed.
If you are sick of specifying the DSA key each time on the command line you could as well place it in the client's personal ssh config file.
e.g.
$ cat .ssh/config
Host gouda
User root
IdentityFile ~/.ssh/id_dsa_root_gouda
Host *
Protocol 2,1
IdentityFile ~/.ssh/saz_id_rsa
IdentityFile ~/.ssh/saz_id_dsa
IdentityFile ~/.ssh/saz_identity
User saz
Note, to place default options in a general Host match (*) at the end of this file.
Then all I need to do is
$ ssh gouda
gouda
3:22pm up 74 days, 18:08, 4 users, load average: 0.55, 0.57, 0.59
Connection to gouda closed.
I bet there are more tricks in stock.
Go and read man sshd, sshd_config, ssh
Madness, thy name is system administration
