Linux – Run Privileged Command on Successful SSH Login

linuxopensshrootsshd

I'd like to run a privileged command upon successful SSH logins at the server's end. However, this has to be in the server configuration (sshd_config or anything else that cannot be manipulated or circumvented by the user) as I need this to be mandatory. That is, however restricted the system account used is, it needs to be able to manipulate a piece of data that requires superuser privileges (namely use ipset add conditionally – which I can script). Oh and I'd like to be able to access the contents of SSH_CLIENT, please – despite privileged execution. The command also must be unaffected by ChrootDirectory.

I am aware of /etc/ssh/sshrc, but that appears to be "client-side", i.e. it's being run by the user who is logging into the machine.

Does such a facility exist in OpenSSH? I am using version 6.6.

Also, the man page (ssh(1)) isn't all too clear about sshrc:

/etc/ssh/sshrc
Commands in this file are executed by ssh when the user logs in, just before the user's
shell (or command) is started. See the sshd(8) manual page for more information.

So does this mean it also runs whenever external commands (via ForceCommand) or subsystems like internal-sftp get invoked, despite restricting settings like PTY allocation or forcing a chroot? If so, I could resort to a restrictive /etc/sudoers entry if there is no other way at all.

NB: I am not using inetd for obvious reasons (see sshd(8)) as described here.

Best Answer

You can do this using PAM and the pam_exec.so module.

You simply add a line to /etc/pam.d/sshd to the 'session' section such as the following:

session    optional    pam_exec.so /usr/local/bin/ipset-ssh

Where ipset-ssh is some script you create.

The script will be run as root. You can get the client's IP address with the PAM_RHOST variable. You'll also want to check the PAM_TYPE variable as your script will be executed both on login, and logout. On login PAM_TYPE will be set to open_session. On logout it's set to close_session.

Here is the complete list of variables that I get from a simple test (I put env > /tmp/pamenv in script):

PAM_SERVICE=sshd
PAM_RHOST=127.0.0.1
GNOME_KEYRING_CONTROL=/home/phemmer/.cache/keyring-vJUUda
PAM_USER=phemmer
PWD=/
GNOME_KEYRING_PID=19742
SHLVL=1
PAM_TYPE=open_session
PAM_TTY=ssh
_=/usr/bin/env

Your script could be as simple as:

#!/bin/bash
[[ "$PAM_TYPE" == "open_session" ]] && ipset add whitelist $PAM_RHOST

Related Solutions

Ssh – way to run an ssh server on an Android device

If you want to run an ssh server on a rooted phone, you can install SSHDroid.

You can build a Debian image via deboostrap. Debian runs on ARM so you wont have problems building an image for that arquitechture. There is an interesting howto writen for SG1, you could try it out.

SSH OpenSSH – How to Start a Specific Shell and Run Commands Remotely

The most obvious way to run a command remotely is to specify it on the ssh command line. The ssh command is always interpreted by the remote user's shell.

ssh bob@example.com '. ~/.profile; command_that_needs_environment_variables'
ssh -t bob@example.com '. ~/.profile; exec zsh'

Shared accounts are generally a bad idea; if at all possible, get separate accounts for every user. If you're stuck with a shared account, you can make an alias:

ssh -t shared-account@example.com 'HOME=~/bob; . ~/.profile; exec zsh'

If you use public key authentication (again, recommended), you can define per-key commands in ~/.ssh/authorized_keys. See this answer for more explanations. Edit the line for your key in ~/.ssh/authorized_keys on the server (all on one line):

command="HOME=$HOME/bob;
     if [ -n \"$SSH_ORIGINAL_COMMAND\" ]; then
       eval \"$SSH_ORIGINAL_COMMAND\";
     else exec \"$SHELL\"; fi" ssh-rsa AAAA…== bob@some.where

Best Answer

Related Solutions

Ssh – way to run an ssh server on an Android device

SSH OpenSSH – How to Start a Specific Shell and Run Commands Remotely

Related Question