5 thoughts on “Restrict SSH logins to a single command

  1. Nice blog post! Just a question on the security risks of $SSH_ORIGINAL_COMMAND:

    Do you know of any way to restrict $SSH_ORIGINAL_COMMAND to a certain set of characters, or even sandbox the execution? For example, I would just to a “cd ~/$SSH_ORIGINAL_COMMAND && git pull”, but this construct is vulnerable to injection, whether you quote it or not. :-(

  2. Peter, those values are environment variables and are not interpolated by the SSH daemon before running the command, so you _can_ safely use them simply by quoting them e.g. you might make it so that the command looked something like this:

    [[ “$SSH_ORIGINAL_COMMAND” =~ ^(a_safe_folder|another_safe_directory)$ ]] && cd “$SSH_ORIGINAL_COMMAND” && git pull

    However, since those are just environment variables, my personal preference is to not try and shove a long script into the command parameter and instead do something simpler like command=”/path/to/script” then put all of the logic into the language of your choice be it Bash, Python, Perl, etc. into that one file. This also enables you to lock down the account that’s being SSH’d into by changing that user’s shell to something like /bin/sh to reduce the likelihood of being impacted by something like the “shellshock” bug. There are also various restricted shells out although some are not without their own vulnerabilities and issues.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s