On Solaris 5.9, is there any way to pass parameter(s), via SSH, to a command defined in the remote host's authorized_keys file?
We have a menu that uses SSH to control some apps on our various hosts. I've been tasked with enhancing it and making it more secure.
So far, the local host menu will use SSH to call a .ksh script on the remote host, with one of 4 parameters, to either start, stop, restart or check a program's status. That works fine.
What we would like to do is this:
-
Put the remote .ksh script name in the authorized_keys file, on the remote host, in the front of the key line, for the user calling it, from the local host. That would limit the user, using the menu, to only being able to run this .ksh script.
-
When the user make a choice on the local host menu, pass only the chosen parameter via the SSH login.
When I try it, the remote .ksh script runs, but errors out due to the parameter passing failing.
Is there any way to pass just the parameter(s)?
PabloCruise77, when connecting with ssh, if you run any commands like this:
ssh abc@systemxyz "ls -l"
and environment variable called SSH_ORIGINAL_COMMAND is set to whatever parameters you pass in to ssh.
This is an excerpt of an authorized_keys2 file for a user test:
command="/tmp/test.sh $SSH_ORIGINAL_COMMAND" ssh-dss AAAAB3NzaC1kc3MAAACBAOpMZlRTUFSmgTscvAmqsOwLel2GGHhwTzXvGou6Ta38ZyS32rr
4ITr3ypiIaIbKDPD2c7p5G8t45ctpLvqRCqTUejtPryXgPrKcJuUzS7LG3sbxdahCKMQk/SGgSEdHXd11dQI/O1LwW3FZ25yQsmR9jqNM+wb8b0dM4upbxMxxAAA
AFQCl1eK8NrdbUhStz8WDd1Jc5sF/PwAAAIEAmJlpIcMnHpwBRSKNUto6GfxbLS17l73SDHB8rAP+meYPYfWOaPAsmkQc4UUIdkQJfOzSStgXKsyDH7ybaOWeDcE
Ffw7kroJbu3wXAOl+JPon5C6aXkvGBR3Y7qsBEMXlW57kraot4Rya/RUblh5xjYbYEDcJsPafABUKpRjCbYsAAACBAN1gXh2OHEwOV7+KnHo5fubclort79wAldw
OZ2A+v86hRcEgGb3Bl1qZRVuKvfrgR/OPvxoAeKmMjgrCDld0MgkC3ZdWOhuZhuCzBZRkZTCKnQF4k54r6sc6pWxS/NBBsyvzPmntcakaOb9cLrLf1JnXk3k4xiO
8E037y+OJ3WAX samba@abcxyz
The /tmp/test.sh file is like this:
#!/usr/bin/ksh
echo "this is a test"
echo $SSH_ORIGINAL_COMMAND
echo $@
As user samba, if I run
ssh test@abcxyz "hello there"
, I get this:
$ ssh test@ssunsp3 "hello there"
this is a test
hello there
hello there
So you can just edit the authorized_keys2 file and send the contents of the $SSH_ORIGINAL_COMMAND variable as parameters to the script that you are running.
Thanks blowtorch!
At least on our version of Solaris 5.9, SSH_ORIGINAL_COMMAND contained the command and the parameter. Using the cut command, I was able to get the parameter and get the programs to act how I wanted.
I'm on a 3-month contract and this might get me a full-time gig!
Thanks a million!