I face a weird question I don't know how to deal with.
I tried to limit the permission of root user to remote login using ssh.
So I did the following for a client server,
edit /usr/local/etc/sshd_config and modify as below
PermitRootLogin forced-commands-only
using pubkey authentication and add the following command to authorized_keys
using a wrapper script "testssh" to parse $SSH_ORIGINAL_COMMAND and then do its own work. the test script is as below,
#!/bin/bash
case $SSH_ORIGINAL_COMMAND in
"shutdown")
Platform=`uname`
if [ $Platform == "Linux" ]; then
echo "This is Linux"
elif [ $Platform == "SunOS" ]; then
echo "This is SunOS"
fi
;;
"test")
echo "Test connection. This is `hostname`."
;;
*)
echo "Permission Denied. Terminated."
exit 1
;;
esac
The Solaris host ssh version is OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, and
there are two clients to test.
client 1: Solaris system using ssh version OpenSSH_5.9p1
client 2: Linux red hat 5.7 using ssh version OpenSSH_4.3p2
When I tested it using ssh root@client1 or ssh root@client1 "arguments" from the host connecting to clients, it worked well when connecting to the client 2, which is Linux OS. But when connecting to client 1, which is Solaris system, it kept showing the following message,
SSH_ORIGINAL_COMMAND: Undefined variable
I just can't figure it out. As I know, ssh will normally set this environment variables.
Does someone have any idea?? I've stuck on this for a while.
Can you take out the restriction again and run a simple remote command to list out the variables set into a file? Something like this might do:-
ssh root@client1 "env > /tmp/root.ssh.env ; set > /tmp/root.ssh.set"
Then sign in and have a look in the two files created to see if anything leaps out. I'm afraid that I don't have a Solaris server available to test this.
Oops, I might a little bit messed up with "host" and "client". Actually, I want to do a remote shutdown test from my "host" to shut down "all clients", and that's why I messed it up. I'll use your words below.
As you said, my first test command may not supply that variable. Do you mean client1 may not support the variable SSH_ORIGINAL_COMMAND?
Is this because of the ssh version too old? Is there any workaround?
That "command" is supplied in the SSH_ORIGINAL_COMMAND variable. Your ssh root@client1 doesn't supply one, so the variable will be empty/undefined. Supply one!