Georg/authorized-exec
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1e334382ba
authorized-exec/authorized-exec.pod
Georg Pfuetzenreuter 194a71e968
Support multiple keys per user 
In use cases where one user is supposed to be reachable with multiple
public keys, but where each public key should only have access to a
specific set of commands, the variable $SSH_USER_AUTH will be considered
together with colon separated username->key pairs in the configuration
to determine the set of commands to use.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2024-10-20 15:49:24 +02:00

32 lines
1.5 KiB
Plaintext
Raw Blame History

=head1 NAME
authorized-exec - command wrapper
=head1 SYNPOSIS
authorized-exec <config file> <command line>
authorized-exec /etc/authorized-exec/service1.pl -- echo hello
=head1 DESCRIPTION
This application takes a command line and validates it against a configuration file containing mappings from usernames to authorized commands. This is useful for use as a forced SSH command - option "command" in authorized_keys, sshd(8), or option "ForceCommand" in sshd_config(5) - when multiple commands are intended to be allowed using a single SSH key or multiple services need to access the same user but each only with a specific set of allowed commands.
It is not intended as a standalone security tool, it should be used in the context of additional restrictions, such as those provided by OpenSSH.
The command line to validate is taken either from the arguments passed after the configuration file, or read from the variable $SSH_ORIGINAL_COMMAND, which is passed if used as a forced SSH command.
The application supports handling different sets of authorized commands for a single user based on the public key the session was initiated with. This utilizes the variable $SSH_USER_AUTH, which requires the OpenSSH server to be configured with "ExposeAuthInfo" enabled in sshd_config(5).
=head1 EXAMPLES
In authorized_keys, sshd(8), the following syntax can be used:
command="/usr/bin/authorized-exec /etc/authorized-exec/service1.pl" ssh-ed25519 ....
=head1 AUTHOR
Georg Pfuetzenreuter
=head1 LICENSE
Licensed under the European Union Public Licence.
Reference in New Issue View Git Blame Copy Permalink