authorized-exec/authorized-exec.pod

=head1 NAME

	authorized-exec - command wrapper

=head1 SYNPOSIS

	authorized-exec <config file> <command line>
	authorized-exec /etc/authorized-exec/service1.pl -- echo hello

=head1 DESCRIPTION

	This application takes a command line and validates it against a configuration file containing mappings from usernames to authorized commands. This is useful for use as a forced SSH command - option "command" in authorized_keys, sshd(8), or option "ForceCommand" in sshd_config(5) - when multiple commands are intended to be allowed using a single SSH key or multiple services need to access the same user but each only with a specific set of allowed commands.

	It is not intended as a standalone security tool, it should be used in the context of additional restrictions, such as those provided by OpenSSH.

	The command line to validate is taken either from the arguments passed after the configuration file, or read from the variable $SSH_ORIGINAL_COMMAND, which is passed if used as a forced SSH command.

	The application supports handling different sets of authorized commands for a single user based on the public key the session was initiated with. This utilizes the variable $SSH_USER_AUTH, which requires the OpenSSH server to be configured with "ExposeAuthInfo" enabled in sshd_config(5).

=head1 EXAMPLES

	In authorized_keys, sshd(8), the following syntax can be used:
		command="/usr/bin/authorized-exec /etc/authorized-exec/service1.pl" ssh-ed25519 ....

=head1 AUTHOR

	Georg Pfuetzenreuter

=head1 LICENSE

	Licensed under the European Union Public Licence.
Manual page Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net> 2024-09-11 20:48:32 +02:00			`=head1 NAME`

			`authorized-exec - command wrapper`

			`=head1 SYNPOSIS`

			`authorized-exec <config file> <command line>`
			`authorized-exec /etc/authorized-exec/service1.pl -- echo hello`

			`=head1 DESCRIPTION`

			`This application takes a command line and validates it against a configuration file containing mappings from usernames to authorized commands. This is useful for use as a forced SSH command - option "command" in authorized_keys, sshd(8), or option "ForceCommand" in sshd_config(5) - when multiple commands are intended to be allowed using a single SSH key or multiple services need to access the same user but each only with a specific set of allowed commands.`

			`It is not intended as a standalone security tool, it should be used in the context of additional restrictions, such as those provided by OpenSSH.`

			`The command line to validate is taken either from the arguments passed after the configuration file, or read from the variable $SSH_ORIGINAL_COMMAND, which is passed if used as a forced SSH command.`

Support multiple keys per user In use cases where one user is supposed to be reachable with multiple public keys, but where each public key should only have access to a specific set of commands, the variable $SSH_USER_AUTH will be considered together with colon separated username->key pairs in the configuration to determine the set of commands to use. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net> 2024-09-15 19:23:03 +02:00			`The application supports handling different sets of authorized commands for a single user based on the public key the session was initiated with. This utilizes the variable $SSH_USER_AUTH, which requires the OpenSSH server to be configured with "ExposeAuthInfo" enabled in sshd_config(5).`

Manual page Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net> 2024-09-11 20:48:32 +02:00			`=head1 EXAMPLES`

			`In authorized_keys, sshd(8), the following syntax can be used:`
Support multiple keys per user In use cases where one user is supposed to be reachable with multiple public keys, but where each public key should only have access to a specific set of commands, the variable $SSH_USER_AUTH will be considered together with colon separated username->key pairs in the configuration to determine the set of commands to use. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net> 2024-09-15 19:23:03 +02:00			`command="/usr/bin/authorized-exec /etc/authorized-exec/service1.pl" ssh-ed25519 ....`
Manual page Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net> 2024-09-11 20:48:32 +02:00
			`=head1 AUTHOR`

			`Georg Pfuetzenreuter`

			`=head1 LICENSE`

			`Licensed under the European Union Public Licence.`