Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
1e334382ba
|
|||
|
599a5c9bc8
|
|||
|
194a71e968
|
@ -22,6 +22,30 @@ my %config = do $configfile;
|
|||||||
die "Couldn't run $configfile" unless %config;
|
die "Couldn't run $configfile" unless %config;
|
||||||
|
|
||||||
my $user = $ENV{'USER'};
|
my $user = $ENV{'USER'};
|
||||||
|
my $authfile = $ENV{'SSH_USER_AUTH'};
|
||||||
|
|
||||||
|
my %publickeys;
|
||||||
|
|
||||||
|
if ($authfile && -f $authfile) {
|
||||||
|
open my $fh, '<', $authfile or die "Found authentication file, but failed to read it: $!";
|
||||||
|
while (<$fh>) {
|
||||||
|
$_ =~ /^publickey (ssh-[a-z0-9]+ .*)$/;
|
||||||
|
$publickeys{$1} = 1;
|
||||||
|
}
|
||||||
|
close $fh or print STDERR "Failed to close authentication file: $!";
|
||||||
|
}
|
||||||
|
|
||||||
|
foreach my $userentry (keys %config) {
|
||||||
|
my @userelements = split(':', $userentry);
|
||||||
|
if (scalar @userelements > 1) {
|
||||||
|
my $entry_user = $userelements[0];
|
||||||
|
my $entry_key = $userelements[1];
|
||||||
|
if ($entry_user eq $user && exists($publickeys{$entry_key})) {
|
||||||
|
$user = $userentry;
|
||||||
|
last;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (! exists($config{$user}) ) {
|
if (! exists($config{$user}) ) {
|
||||||
print STDERR 'Unauthorized user.';
|
print STDERR 'Unauthorized user.';
|
||||||
|
|||||||
@ -15,10 +15,12 @@
|
|||||||
|
|
||||||
The command line to validate is taken either from the arguments passed after the configuration file, or read from the variable $SSH_ORIGINAL_COMMAND, which is passed if used as a forced SSH command.
|
The command line to validate is taken either from the arguments passed after the configuration file, or read from the variable $SSH_ORIGINAL_COMMAND, which is passed if used as a forced SSH command.
|
||||||
|
|
||||||
|
The application supports handling different sets of authorized commands for a single user based on the public key the session was initiated with. This utilizes the variable $SSH_USER_AUTH, which requires the OpenSSH server to be configured with "ExposeAuthInfo" enabled in sshd_config(5).
|
||||||
|
|
||||||
=head1 EXAMPLES
|
=head1 EXAMPLES
|
||||||
|
|
||||||
In authorized_keys, sshd(8), the following syntax can be used:
|
In authorized_keys, sshd(8), the following syntax can be used:
|
||||||
command="/usr/bin/authorized-exec.pod /etc/authorized-exec/service1.pl" ssh-ed25519 ....
|
command="/usr/bin/authorized-exec /etc/authorized-exec/service1.pl" ssh-ed25519 ....
|
||||||
|
|
||||||
=head1 AUTHOR
|
=head1 AUTHOR
|
||||||
|
|
||||||
|
|||||||
@ -18,9 +18,9 @@
|
|||||||
|
|
||||||
|
|
||||||
Name: authorized-exec
|
Name: authorized-exec
|
||||||
Version: 1.1
|
Version: 0
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Health check
|
Summary: SSH command handler
|
||||||
License: EUPL-1.2
|
License: EUPL-1.2
|
||||||
Group: System/Monitoring
|
Group: System/Monitoring
|
||||||
URL: https://git.com.de/Georg/authorized-exec
|
URL: https://git.com.de/Georg/authorized-exec
|
||||||
|
|||||||
@ -1,10 +1,13 @@
|
|||||||
# the patterns are read as regular expressions and anchored with ^ and $ by default
|
# the patterns are read as regular expressions and anchored with ^ and $ by default
|
||||||
(
|
(
|
||||||
'georg' => [
|
'georg2:ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFY7Pvf4Rzn7C8Ioi1ZvY/O7tJsMCv27URdQE5o1daDK' => [
|
||||||
'echo hi',
|
'echo hi',
|
||||||
'true',
|
'true',
|
||||||
'printf %s [a-z0-9 ]+',
|
'printf %s [a-z0-9 ]+',
|
||||||
],
|
],
|
||||||
|
'georg2' => [
|
||||||
|
'echo bye',
|
||||||
|
],
|
||||||
'root' => [
|
'root' => [
|
||||||
'ls -a /root',
|
'ls -a /root',
|
||||||
],
|
],
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user