Ssh – Grant ssh access for single session

sshssh-tunneling

I wonder if there is a tool/modified ssh-server/ssh option which enables me to grant ssh access for a single session to a given user. What I want to avoid is creating a user account and password for the specific guest. It could instead use an existing user account with certain access rights to be set once. I do not want to share the same account information with everybody I grant access to. The access permission should either work only once/time out after a given interval or the tool should ask me if it detects an access whether I want to grant it. The idea is to share a line like

ssh tempuser001@host

where tempuser001 is tells the server who tries to access but does not correspond to a real user. The user could use his temporary privileges to do all the fancy things you can with ssh connections, like scp, rsync, and whatever works through tunnels likevnc, … The inspiration for this comes from teamviewer, a kind of vnc which permits a remote user to access my desktop once I shared an id with him.

Best Answer

One solution would be to use ssh keys for this.

You can specify a command to run whenever a certain ssh key is used to log into the server. By combining this with a simple login script you can get whatever access control you want.

Here is a quick example I whipped up which grants access until a certain date.

Add the user's ssh to the target user's authorized_keys file. In this example I add the date after which the user should no longer have access.

~/.ssh/authorized_keys

command="/etc/ssh/access.sh 2013-04-05" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc7nKsHpuC6WW8sBbf1j0snelmBsPAN5GQdJ86sJCyCsDzykvB2i2anLS/U131p0yDf0bU8W8kdsLE9pHQ5NLWlxlyWmFxdKujg4B+WxyHFKO0PHKfQhXEwMrYE4m9QwGYtsQrrWXBg4vQwUvOQDA4cNhdvNrIf/V+BGcdWtCXO/JGy7vkyKLd8LLHcZGsG3Pq5trHAKHaWkQgBN8P+atIX3FbwwQl4Ja020P7LW0ddPuUJxltOS11ZjdsG04s/xpL6JX3xi9FdDpO13SkQ5cqD0GIFkI+CLksqGYvvvpC7/22Rl4hc3nAcOIiwekylSB5rpU4LawF1IxCk0sg0BGr

And create the login script to be executed.

/etc/ssh/access.sh

#!/bin/bash

until="$1"

if (( $(date --date="$until" +%s) < $(date +%s) )); then
    echo "Your login has expired"
    exit
fi

exec ${SSH_ORIGINAL_COMMAND:--a -${SHELL##*/} $SHELL}

(don't forget to chmod a+x /etc/ssh/access.sh after creating it)

Once access has expired it'll look like this

PROMPT # ssh localhost
Your login has expired
Connection to localhost closed.
PROMPT #

Related Solutions

Ssh – tunneling VNC/rdesktop over ssh

I would prefer to setup a vpn (openvpn for example) with server on your machine and client on your friend's machine. When he wants you to connect, he opens the vpn (no login involved on your machine) and you open your remote desktop client to his machine's IP (at least with openvpn, you can assign a "fixed" IP to his machine so you can save it, not needing to look at it everytime).

This way you have no login to your machine and you only access his machine when he opens the VPN. On the other side, you can shutdown the server when you don't want him to connect to your machine. Anyways, if you don't give him a user on your machine (or a user with only the access you want), he won't be able to to much there.

And this way, you can do it with more friends easily if needed as they only need to install the vpn client.

SSH – SSH Shell via SSH Proxy

You might want to look into ssh's ProxyCommand configuration, which allows for this to work more seamlessly, and will work for shells, SFTP, tunnels, and anything else you might want to proxy via ssh.

Let's say you have the following three hosts:

workstation.example.com - This is the machine you're physically working on
proxy.example.com - This is the machine you're routing your SSH traffic through
endpoint.example.com - This is where you want the traffic to ultimately end up

In ~/.ssh/config on workstation, add the following:

Host endpoint
    User EndpointUser # set this to the username on the destination host
    HostName endpoint.example.com
    ProxyCommand ssh username@proxy.example.com nc %h %p 2> /dev/null

On the proxy host, make sure nc (netcat) is installed.

Then, on workstation, you can ssh endpoint or sftp endpoint and you will be transparently proxied to the machine by way of your proxy host.