ssh script: command/ForceCommand

08/10/2006, 12h43

Hello

i'm trying to secure/tune my backup script with ssh like this:
http://www.hackinglinuxexposed.com/a.../20030109.html

few problems:
- command/ForceCommand doesn't seem to accept wildcards or a chained
command like:
command="/path/to/backup-script.sh;scp -r -p -f /tmp/backup-*"
(openbsd could maybe, do this with systrace)
- same for from/Host: no wildcard ?
- having recent ssh on multiple platforms ... but that's a problem with
vendors

advices ?

thanks
regards

08/10/2006, 21h28

In article <4528e447$0$21867$426a34cc@news.free.fr> julien Touche
<julien.touche@touche.fr.st> writes:
>
>i'm trying to secure/tune my backup script with ssh like this:
>http://www.hackinglinuxexposed.com/a.../20030109.html
>
>few problems:
>- command/ForceCommand doesn't seem to accept wildcards or a chained
>command like:
>command="/path/to/backup-script.sh;scp -r -p -f /tmp/backup-*"
>(openbsd could maybe, do this with systrace)

Worked fine for me (i.e. using multiple commands + wildcard, I didn't
specifically try scp) on a quick test with OpenSSH 4.2p1. Though I don't
really see the point in the above case, why not simply put everything
you want to do in the script? (Or if you don't want to change
"backup-script.sh", create another script to run it + whatever else you
want to do.)

>- same for from/Host: no wildcard ?

Using from= with wildcard (as documented) worked fine for me too, don't
know what "Host:" refers to. Of course you need to have DNS / hosts file
set up such that your client IP address really maps back to the expected
host name on the server (and presumably that the name in turn maps
forward to the IP address). Assuming you have a host name in from=, that
is - IP addresses can also be used.

--Per Hedeland
per@hedeland.org

09/10/2006, 20h16

Per Hedeland wrote on 08/10/2006 22:28:
> Worked fine for me (i.e. using multiple commands + wildcard, I didn't
> specifically try scp) on a quick test with OpenSSH 4.2p1. Though I
> don't
i will retry to scp and check there argument but could be that in my
setup some box are pre-4.0.
don't know which box release is important ? better to have last release
on the client or the server ?

> really see the point in the above case, why not simply put everything
> you want to do in the script? (Or if you don't want to change
> "backup-script.sh", create another script to run it + whatever else
> you want to do.)
this is about who does the connection: the backuped box or the backup
box. and i prefer the last one for firewall reasons.

>
>> - same for from/Host: no wildcard ?
>
> Using from= with wildcard (as documented) worked fine for me too,
> don't know what "Host:" refers to. Of course you need to have DNS /
> hosts file set up such that your client IP address really maps back
> to the expected host name on the server (and presumably that the name
> in turn maps forward to the IP address). Assuming you have a host
> name in from=, that is - IP addresses can also be used.
pre-4.0 problem maybe. i will retry

thanks
regards

09/10/2006, 21h09

In article <452a9ff0$0$30989$426a74cc@news.free.fr> julien Touche
<julien.touche@touche.fr.st> writes:
>Per Hedeland wrote on 08/10/2006 22:28:
>> Worked fine for me (i.e. using multiple commands + wildcard, I didn't
>> specifically try scp) on a quick test with OpenSSH 4.2p1. Though I
>> don't
>i will retry to scp and check there argument but could be that in my
>setup some box are pre-4.0.
>don't know which box release is important ? better to have last release
>on the client or the server ?

The client version is quite irrelevant, it has no influence on the
processing of the options in authorized_keys - doesn't even have to be
OpenSSH at all. And I don't think the server version is important, I
don't believe there has been any significant changes in this particular
area in recent times - the whole command string is passed as-is to your
login shell using the -c option.

>> really see the point in the above case, why not simply put everything
>> you want to do in the script? (Or if you don't want to change
>> "backup-script.sh", create another script to run it + whatever else
>> you want to do.)
>this is about who does the connection: the backuped box or the backup
>box. and i prefer the last one for firewall reasons.

I think you misunderstand me - you're telling the ssh server box to run

a) /path/to/backup-script.sh

and then

b) scp -r -p -f /tmp/backup-*

I'm just saying that you could get the exact same effect with less
messiness in the authorized_keys file, and less worries about what is
actually supported there, by doing one of

1) put that scp command at the end of the /path/to/backup-script.sh
script

or

2) create a new script, say /path/to/do-backup.sh, containing

#!/bin/sh
/path/to/backup-script.sh
scp -r -p -f /tmp/backup-*

and then put just /path/to/do-backup.sh in authorized_keys.

But anyway none of that should be needed.

--Per Hedeland
per@hedeland.org

08/10/2006, 12h43	#1
julien Touche Messages: n/a Hébergeur:	ssh script: command/ForceCommand Hello i'm trying to secure/tune my backup script with ssh like this: http://www.hackinglinuxexposed.com/a.../20030109.html few problems: - command/ForceCommand doesn't seem to accept wildcards or a chained command like: command="/path/to/backup-script.sh;scp -r -p -f /tmp/backup-*" (openbsd could maybe, do this with systrace) - same for from/Host: no wildcard ? - having recent ssh on multiple platforms ... but that's a problem with vendors advices ? thanks regards

08/10/2006, 21h28	#2
Per Hedeland Messages: n/a Hébergeur:	Re: ssh script: command/ForceCommand In article <4528e447$0$21867$426a34cc@news.free.fr> julien Touche <julien.touche@touche.fr.st> writes: > >i'm trying to secure/tune my backup script with ssh like this: >http://www.hackinglinuxexposed.com/a.../20030109.html > >few problems: >- command/ForceCommand doesn't seem to accept wildcards or a chained >command like: >command="/path/to/backup-script.sh;scp -r -p -f /tmp/backup-*" >(openbsd could maybe, do this with systrace) Worked fine for me (i.e. using multiple commands + wildcard, I didn't specifically try scp) on a quick test with OpenSSH 4.2p1. Though I don't really see the point in the above case, why not simply put everything you want to do in the script? (Or if you don't want to change "backup-script.sh", create another script to run it + whatever else you want to do.) >- same for from/Host: no wildcard ? Using from= with wildcard (as documented) worked fine for me too, don't know what "Host:" refers to. Of course you need to have DNS / hosts file set up such that your client IP address really maps back to the expected host name on the server (and presumably that the name in turn maps forward to the IP address). Assuming you have a host name in from=, that is - IP addresses can also be used. --Per Hedeland per@hedeland.org

09/10/2006, 20h16	#3
julien Touche Messages: n/a Hébergeur:	Re: ssh script: command/ForceCommand Per Hedeland wrote on 08/10/2006 22:28: > Worked fine for me (i.e. using multiple commands + wildcard, I didn't > specifically try scp) on a quick test with OpenSSH 4.2p1. Though I > don't i will retry to scp and check there argument but could be that in my setup some box are pre-4.0. don't know which box release is important ? better to have last release on the client or the server ? > really see the point in the above case, why not simply put everything > you want to do in the script? (Or if you don't want to change > "backup-script.sh", create another script to run it + whatever else > you want to do.) this is about who does the connection: the backuped box or the backup box. and i prefer the last one for firewall reasons. > >> - same for from/Host: no wildcard ? > > Using from= with wildcard (as documented) worked fine for me too, > don't know what "Host:" refers to. Of course you need to have DNS / > hosts file set up such that your client IP address really maps back > to the expected host name on the server (and presumably that the name > in turn maps forward to the IP address). Assuming you have a host > name in from=, that is - IP addresses can also be used. pre-4.0 problem maybe. i will retry thanks regards

09/10/2006, 21h09	#4
Per Hedeland Messages: n/a Hébergeur:	Re: ssh script: command/ForceCommand In article <452a9ff0$0$30989$426a74cc@news.free.fr> julien Touche <julien.touche@touche.fr.st> writes: >Per Hedeland wrote on 08/10/2006 22:28: >> Worked fine for me (i.e. using multiple commands + wildcard, I didn't >> specifically try scp) on a quick test with OpenSSH 4.2p1. Though I >> don't >i will retry to scp and check there argument but could be that in my >setup some box are pre-4.0. >don't know which box release is important ? better to have last release >on the client or the server ? The client version is quite irrelevant, it has no influence on the processing of the options in authorized_keys - doesn't even have to be OpenSSH at all. And I don't think the server version is important, I don't believe there has been any significant changes in this particular area in recent times - the whole command string is passed as-is to your login shell using the -c option. >> really see the point in the above case, why not simply put everything >> you want to do in the script? (Or if you don't want to change >> "backup-script.sh", create another script to run it + whatever else >> you want to do.) >this is about who does the connection: the backuped box or the backup >box. and i prefer the last one for firewall reasons. I think you misunderstand me - you're telling the ssh server box to run a) /path/to/backup-script.sh and then b) scp -r -p -f /tmp/backup-* I'm just saying that you could get the exact same effect with less messiness in the authorized_keys file, and less worries about what is actually supported there, by doing one of 1) put that scp command at the end of the /path/to/backup-script.sh script or 2) create a new script, say /path/to/do-backup.sh, containing #!/bin/sh /path/to/backup-script.sh scp -r -p -f /tmp/backup-* and then put just /path/to/do-backup.sh in authorized_keys. But anyway none of that should be needed. --Per Hedeland per@hedeland.org

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email