restricting ssh to permit only specific rsync invocations

Sun, 17 Sep 2000 20:04:39 -0700 

Robert Scholten and I chatted offline, and I evolved a pretty simple
way to narrow ssh right down so it will only permit specific rsync
invocations.

The typical problem is that you need to do several different rsync
commands to handle all the backup needs for a specific setting, but
you don't want to permit all other possible rsync commands. It turns
out that this sort of fine-grained restriction is easy to implement,
using the SSH_ORIGINAL_COMMAND environment variable, together with
the command= restriction in authorized_keys. If you are using
OpenSSH, you may need a patch to implement that environment variable
until the next release of OpenSSH comes out.

Armed with those, set up your ssh with public keys, then in and edit
the authorized_keys file, the line that contains the public key
you're using for this connection. Prepend something like

        from="x.y.z.t",command="/path/to/wrapper" ...

i.e. with a space after the last double-quote, then the numbers for
that public key. x.y.z.t should be the IP addr of the host
originating this connection, that adds another layer of restriction,
and the wrapper script should initially contain something like:

        #!/bin/sh
        echo $SSH_ORIGINAL_COMMAND >>/tmp/foo
        set -- $SSH_ORIGINAL_COMMAND
        shift; shift
        exec /usr/bin/rsync --server "$@"

That will narrow it down so the only thing that can be done with
that key is rsync, and you're building a log of the commands needed;
once you've built them all, you should be able to easily script a
check to only allow those commands; e.g. move the /tmp/foo log of
commands to some place else, say /etc/rsync-cmds-permitted, maybe
clean it up with a sort -u, then code the wrapper as

        #!/bin/sh
        die(){ echo "$*">&2; exit 1; }
        grep -x "$SSH_ORIGINAL_COMMAND" /etc/rsync-cmds-permitted || \
                die "zark off"
        exec $SSH_ORIGINAL_COMMAND

The trouble is that the the --server cmdline isn't, as far as I can
tell, documented, so the best way I figure to do this sort of
fine-tuned restriction is to just see what rsync is doing then set
it up so nothing else will be permitted.

-Bennett

PGP signature

Reply via email to