Make SSH_ORIGINAL_COMMAND available in AuthorizedKeysCommand context
Francois Leurent
fleurent at ivsweb.com
Wed Feb 5 21:44:28 EST 2014
Hi
Using SSH_ORIGINAL_COMMAND in AuthorizedKeys is so helpful, I'd like to
know if it might be possible to access it in the AuthorizedKeysCommand
context (via env ?). Is this possible ? can anybody give me advice on
going into this ?
If possible, I'll use this SSH_ORIGINAL_COMMAND to send client specifics
information to the AuthorizedKeysCommand script. Currently, the only
alternative to this is to use the login itself (we have around 30k+
different 'hosts' that might want to connect to our servers) to identify
the client, but that come with the need of a custom nss endpoint
configuration (we use libnss-pgsql2 ) to support dynamic user lookup, and
more work (to manage uid & co)
Using 'one' standard user file was enough (and a lot simplier), as those
hosts don't need to do anything but to setup a revert port forwarding
rule, and are bound to a very limited shell.
My (now useless) /home/host_controler/.ssh/authorized_keys file (build on
a cron run) was like :
command="limited_shell.sh --host_id=XXX1 $SSH_ORIGINAL_COMMAND" ssh-rsa
pubkey of host 1"
command="limited_shell.sh --host_id=XXX2 $SSH_ORIGINAL_COMMAND" ssh-rsa
pubkey of host 2"
command="limited_shell.sh --host_id=XXX3 $SSH_ORIGINAL_COMMAND" ssh-rsa
pubkey of host 3"
...
Thank you very much for your help
Francois Leurent
More information about the openssh-unix-dev
mailing list