Compare commits
No commits in common. "main" and "v1.0" have entirely different histories.
@ -22,30 +22,6 @@ my %config = do $configfile;
|
||||
die "Couldn't run $configfile" unless %config;
|
||||
|
||||
my $user = $ENV{'USER'};
|
||||
my $authfile = $ENV{'SSH_USER_AUTH'};
|
||||
|
||||
my %publickeys;
|
||||
|
||||
if ($authfile && -f $authfile) {
|
||||
open my $fh, '<', $authfile or die "Found authentication file, but failed to read it: $!";
|
||||
while (<$fh>) {
|
||||
$_ =~ /^publickey (ssh-[a-z0-9]+ .*)$/;
|
||||
$publickeys{$1} = 1;
|
||||
}
|
||||
close $fh or print STDERR "Failed to close authentication file: $!";
|
||||
}
|
||||
|
||||
foreach my $userentry (keys %config) {
|
||||
my @userelements = split(':', $userentry);
|
||||
if (scalar @userelements > 1) {
|
||||
my $entry_user = $userelements[0];
|
||||
my $entry_key = $userelements[1];
|
||||
if ($entry_user eq $user && exists($publickeys{$entry_key})) {
|
||||
$user = $userentry;
|
||||
last;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (! exists($config{$user}) ) {
|
||||
print STDERR 'Unauthorized user.';
|
||||
@ -64,7 +40,7 @@ if ($ssh_cmd) {
|
||||
exit 1
|
||||
}
|
||||
|
||||
my %cmds = map { qr/^$_$/ => 1 } @{$config{$user}};
|
||||
my %cmds = map { qr{$_} => 1 } @{$config{$user}};
|
||||
|
||||
if ( any { $cmd =~ $_ } keys %cmds ) {
|
||||
exec $cmd;
|
||||
|
||||
@ -15,12 +15,10 @@
|
||||
|
||||
The command line to validate is taken either from the arguments passed after the configuration file, or read from the variable $SSH_ORIGINAL_COMMAND, which is passed if used as a forced SSH command.
|
||||
|
||||
The application supports handling different sets of authorized commands for a single user based on the public key the session was initiated with. This utilizes the variable $SSH_USER_AUTH, which requires the OpenSSH server to be configured with "ExposeAuthInfo" enabled in sshd_config(5).
|
||||
|
||||
=head1 EXAMPLES
|
||||
|
||||
In authorized_keys, sshd(8), the following syntax can be used:
|
||||
command="/usr/bin/authorized-exec /etc/authorized-exec/service1.pl" ssh-ed25519 ....
|
||||
command="/usr/bin/authorized-exec.pod /etc/authorized-exec/service1.pl" ssh-ed25519 ....
|
||||
|
||||
=head1 AUTHOR
|
||||
|
||||
|
||||
@ -18,9 +18,9 @@
|
||||
|
||||
|
||||
Name: authorized-exec
|
||||
Version: 0
|
||||
Version: 1.0
|
||||
Release: 0
|
||||
Summary: SSH command handler
|
||||
Summary: Health check
|
||||
License: EUPL-1.2
|
||||
Group: System/Monitoring
|
||||
URL: https://git.com.de/Georg/authorized-exec
|
||||
|
||||
@ -1,14 +1,10 @@
|
||||
# the patterns are read as regular expressions and anchored with ^ and $ by default
|
||||
(
|
||||
'georg2:ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFY7Pvf4Rzn7C8Ioi1ZvY/O7tJsMCv27URdQE5o1daDK' => [
|
||||
'echo hi',
|
||||
'true',
|
||||
'printf %s [a-z0-9 ]+',
|
||||
],
|
||||
'georg2' => [
|
||||
'echo bye',
|
||||
'georg' => [
|
||||
'^echo hi$',
|
||||
'^true$',
|
||||
'^printf %s [a-z0-9 ]+$',
|
||||
],
|
||||
'root' => [
|
||||
'ls -a /root',
|
||||
'^ls -a /root$',
|
||||
],
|
||||
)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user