4

I need to enable remote execution of a shell script on a server, but deny all other access. The script is a toggle that accepts a single parameter (on/off/status). This comes close to answering my question, but while it works to run scripts remotely, I still can't pass arguments. Is there a way to do this without making a new shell account for each possible argument?

Basically, I want to be able to run on my remote server:

myclient$ ssh remotecontrol@myserver on
myclient$ ssh remotecontrol@myserver off
myclient$ ssh remotecontrol@myserver status

And have this correspond to:

myserver$ ./myscript.sh on
myserver$ ./myscript.sh off
myserver$ ./myscript.sh status

Arcege's response in the linked article could do this, but it doesn't work as a one-liner in a shell script.

SOLUTION DETAILS:

# useradd -Urms /home/remotecontrol/shell.sh remotecontrol

Added the following line to ~remotecontrol/.ssh/authorized_keys to disable remote login:

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa [...public key...] remoteuser@remotehost

Added the following shell script as ~remotecontrol/shell.sh:

#!/usr/bin/env bash
case "$2" in
    on)
        echo 'Command: on'
        ;;
    off)
        echo 'Command: off'
        ;;
    status)
        echo 'Command: status'
        ;;
    *)
        echo 'Invalid command'
        ;;
esac
Community
  • 1
Mikkel
  • 536

1 Answers1

3

If you use a custom shell as suggested by Arcege and 2bc, then that shell will receive the command which the user intends to execute as an argument because the shell is invoked like this:

shellname -c the_original_command

So ignore the -c (that your $1) and find the command in $2. For example:

#!/bin/sh

case "$2" in
    on)
        do something
        ;;
    off)
        do something else
        ;;
    *)
        echo "wrong command name!" >&2
        exit 1
esac

If you use a forced command as suggested by Coren then you will find the command that the user intended to invoke in the environment variable $SSH_ORIGINAL_COMMAND. You can use a script similar to the one above.

Community
  • 1
Celada
  • 44,132