ssh script: command/ForceCommand - SSH

This is a discussion on ssh script: command/ForceCommand - SSH ; Hello i'm trying to secure/tune my backup script with ssh like this: http://www.hackinglinuxexposed.com/a.../20030109.html few problems: - command/ForceCommand doesn't seem to accept wildcards or a chained command like: command="/path/to/backup-script.sh;scp -r -p -f /tmp/backup-*" (openbsd could maybe, do this with systrace) - ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: ssh script: command/ForceCommand

  1. ssh script: command/ForceCommand


    Hello

    i'm trying to secure/tune my backup script with ssh like this:
    http://www.hackinglinuxexposed.com/a.../20030109.html

    few problems:
    - command/ForceCommand doesn't seem to accept wildcards or a chained
    command like:
    command="/path/to/backup-script.sh;scp -r -p -f /tmp/backup-*"
    (openbsd could maybe, do this with systrace)
    - same for from/Host: no wildcard ?
    - having recent ssh on multiple platforms ... but that's a problem with
    vendors

    advices ?

    thanks
    regards

  2. Re: ssh script: command/ForceCommand

    In article <4528e447$0$21867$426a34cc@news.free.fr> julien Touche
    writes:
    >
    >i'm trying to secure/tune my backup script with ssh like this:
    >http://www.hackinglinuxexposed.com/a.../20030109.html
    >
    >few problems:
    >- command/ForceCommand doesn't seem to accept wildcards or a chained
    >command like:
    >command="/path/to/backup-script.sh;scp -r -p -f /tmp/backup-*"
    >(openbsd could maybe, do this with systrace)


    Worked fine for me (i.e. using multiple commands + wildcard, I didn't
    specifically try scp) on a quick test with OpenSSH 4.2p1. Though I don't
    really see the point in the above case, why not simply put everything
    you want to do in the script? (Or if you don't want to change
    "backup-script.sh", create another script to run it + whatever else you
    want to do.)

    >- same for from/Host: no wildcard ?


    Using from= with wildcard (as documented) worked fine for me too, don't
    know what "Host:" refers to. Of course you need to have DNS / hosts file
    set up such that your client IP address really maps back to the expected
    host name on the server (and presumably that the name in turn maps
    forward to the IP address). Assuming you have a host name in from=, that
    is - IP addresses can also be used.

    --Per Hedeland
    per@hedeland.org

  3. Re: ssh script: command/ForceCommand

    Per Hedeland wrote on 08/10/2006 22:28:
    > Worked fine for me (i.e. using multiple commands + wildcard, I didn't
    > specifically try scp) on a quick test with OpenSSH 4.2p1. Though I
    > don't

    i will retry to scp and check there argument but could be that in my
    setup some box are pre-4.0.
    don't know which box release is important ? better to have last release
    on the client or the server ?

    > really see the point in the above case, why not simply put everything
    > you want to do in the script? (Or if you don't want to change
    > "backup-script.sh", create another script to run it + whatever else
    > you want to do.)

    this is about who does the connection: the backuped box or the backup
    box. and i prefer the last one for firewall reasons.

    >
    >> - same for from/Host: no wildcard ?

    >
    > Using from= with wildcard (as documented) worked fine for me too,
    > don't know what "Host:" refers to. Of course you need to have DNS /
    > hosts file set up such that your client IP address really maps back
    > to the expected host name on the server (and presumably that the name
    > in turn maps forward to the IP address). Assuming you have a host
    > name in from=, that is - IP addresses can also be used.

    pre-4.0 problem maybe. i will retry

    thanks
    regards

  4. Re: ssh script: command/ForceCommand

    In article <452a9ff0$0$30989$426a74cc@news.free.fr> julien Touche
    writes:
    >Per Hedeland wrote on 08/10/2006 22:28:
    >> Worked fine for me (i.e. using multiple commands + wildcard, I didn't
    >> specifically try scp) on a quick test with OpenSSH 4.2p1. Though I
    >> don't

    >i will retry to scp and check there argument but could be that in my
    >setup some box are pre-4.0.
    >don't know which box release is important ? better to have last release
    >on the client or the server ?


    The client version is quite irrelevant, it has no influence on the
    processing of the options in authorized_keys - doesn't even have to be
    OpenSSH at all. And I don't think the server version is important, I
    don't believe there has been any significant changes in this particular
    area in recent times - the whole command string is passed as-is to your
    login shell using the -c option.

    >> really see the point in the above case, why not simply put everything
    >> you want to do in the script? (Or if you don't want to change
    >> "backup-script.sh", create another script to run it + whatever else
    >> you want to do.)

    >this is about who does the connection: the backuped box or the backup
    >box. and i prefer the last one for firewall reasons.


    I think you misunderstand me - you're telling the ssh server box to run

    a) /path/to/backup-script.sh

    and then

    b) scp -r -p -f /tmp/backup-*

    I'm just saying that you could get the exact same effect with less
    messiness in the authorized_keys file, and less worries about what is
    actually supported there, by doing one of

    1) put that scp command at the end of the /path/to/backup-script.sh
    script

    or

    2) create a new script, say /path/to/do-backup.sh, containing

    #!/bin/sh
    /path/to/backup-script.sh
    scp -r -p -f /tmp/backup-*

    and then put just /path/to/do-backup.sh in authorized_keys.

    But anyway none of that should be needed.

    --Per Hedeland
    per@hedeland.org

+ Reply to Thread