LinuxQuestions.org - issue in using private key file in bash script

- Programming (https://www.linuxquestions.org/questions/programming-9/)

- - issue in using private key file in bash script (https://www.linuxquestions.org/questions/programming-9/issue-in-using-private-key-file-in-bash-script-749672/)

manya

08-23-2009 10:22 AM

issue in using private key file in bash script

Hi Guyz,

I am facing another issue in bash script. I am set up with private key/pub key authentication on server for my ID and has empty password.
Now I need to write a bash script where other users can use this private key to execute certain commands on remote server without providing password, but I do not want them to mis-use it and do not want them to use it for other purpose.

is this something can be achieved? I tried everything but no luck, I hope I can get some help from here.

sarin

08-23-2009 02:09 PM

Hmm... I can't think of any such methods. However, one trick will be to change the shell of the remote user to a very restrictive menu. Write a small C program to do this. But remember that is a very crude trick and not very safe. Below is an example. No guarantee about the security ;)

Code:

#include <stdio.h>



unsigned char *valid_cmd[]={"ls\n","finger\n","reboot\n"};





int main()

{

        unsigned char cmd[1024];

        int cnt=0;

        int flg=0;



start:

        flg=0;

        printf("Command>");

        memset(cmd,0,sizeof(cmd));

        fgets(cmd,1023,stdin);

        for(cnt=0;cnt<sizeof(valid_cmd)/(sizeof(unsigned char*));cnt++)

        {

                if(!strcmp(cmd,"logout\n")) goto end;

                if(!strcmp(valid_cmd[cnt],cmd))

                {

                        flg=1;

                        system(cmd);

                }

        }

        if(!flg) printf("Command not found\n");

        goto start;

end:

        return 0;

}

choogendyk

08-23-2009 09:07 PM

You can actually change the shell to a bash script and trap interrupts so that they can't get out of it to the general shell. Also, restrict the key so that it cannot be used to forward stuff. See the man page for how to restrict the key, and also see http://sial.org/howto/openssh/publickey-auth/ for a pretty good howto with key restriction. The O'Reilly book on the Korn shell tells how to do the menu with traps, and much of it is applicable to the bash sehll. The intro talks about the history of the shells and the relationships.

The security, of course, is not guaranteed and depends in part on your care in crafting the script.

chrism01

08-24-2009 01:49 AM

You could put the cmds in sudo, which restricts them to only using those cmds. Its not just for root type work, you can use the same technique to switch to any user (su = switch user).
Depends how many users and what cmds. You'll prob want to use CMD & USER alaises if multiples users/cmds are needed.
See the examples in the sudoers file.
http://www.gratisoft.us/sudo/man/sudoers.html

All times are GMT -5. The time now is 05:58 AM.