issue in using private key file in bash script

manya · 08-23-2009, 10:22 AM

Hi Guyz,

I am facing another issue in bash script. I am set up with private key/pub key authentication on server for my ID and has empty password.
Now I need to write a bash script where other users can use this private key to execute certain commands on remote server without providing password, but I do not want them to mis-use it and do not want them to use it for other purpose.

is this something can be achieved? I tried everything but no luck, I hope I can get some help from here.

sarin · 08-23-2009, 02:09 PM

Hmm... I can't think of any such methods. However, one trick will be to change the shell of the remote user to a very restrictive menu. Write a small C program to do this. But remember that is a very crude trick and not very safe. Below is an example. No guarantee about the security

Code:

#include <stdio.h>

unsigned char *valid_cmd[]={"ls\n","finger\n","reboot\n"};


int main()
{
        unsigned char cmd[1024];
        int cnt=0;
        int flg=0;

start:
        flg=0;
        printf("Command>");
        memset(cmd,0,sizeof(cmd));
        fgets(cmd,1023,stdin);
        for(cnt=0;cnt<sizeof(valid_cmd)/(sizeof(unsigned char*));cnt++)
        {
                if(!strcmp(cmd,"logout\n")) goto end;
                if(!strcmp(valid_cmd[cnt],cmd))
                {
                        flg=1;
                        system(cmd);
                }
        }
        if(!flg) printf("Command not found\n");
        goto start;
end:
        return 0;
}

choogendyk · 08-23-2009, 09:07 PM

You can actually change the shell to a bash script and trap interrupts so that they can't get out of it to the general shell. Also, restrict the key so that it cannot be used to forward stuff. See the man page for how to restrict the key, and also see http://sial.org/howto/openssh/publickey-auth/ for a pretty good howto with key restriction. The O'Reilly book on the Korn shell tells how to do the menu with traps, and much of it is applicable to the bash sehll. The intro talks about the history of the shells and the relationships.

The security, of course, is not guaranteed and depends in part on your care in crafting the script.

chrism01 · 08-24-2009, 01:49 AM

You could put the cmds in sudo, which restricts them to only using those cmds. Its not just for root type work, you can use the same technique to switch to any user (su = switch user).
Depends how many users and what cmds. You'll prob want to use CMD & USER alaises if multiples users/cmds are needed.
See the examples in the sudoers file.
http://www.gratisoft.us/sudo/man/sudoers.html