Authprogs SSH Command Authenticator

    Date15 Jan 2003
    5165
    Posted ByAnthony Pell
    Introducing Authprogs, software which lets you control which machines can run authorized commands via SSH using SSH Identities. . . . Introducing Authprogs, software which lets you control which machines can run authorized commands via SSH using SSH Identities.

    In this article, I introduce you to authprogs, which can be used to control what commands can be run on a host-by-host basis. I've been using this program for ages now, and finally took the time to put in comments and make it readable. I'll be maintaining the code at http://www.hackinglinuxexposed.com/tools/authprogs. There are several things left to be done[2] and I encourage folks to develop it further. Right now I'd call it version 0.5.

    In the previous three[1] articles, I've shown you how to manually set up identity-based authentication with SSH, and how to use it to force a specific command, regardless the actual command that the client attempts to run. Unfortunately, this procedure requires that you have one identity for each program you want to allow, which can be a very big hassle.

    Authprogs is a very simple perl script.[3] It looks for a file named ~/.ssh/authprogs.conf to get it's configuration. This file simply lists the programs that are allowed to be run from specified hosts. You begin with an IP address or list of IP addresses in brackets. On the following lines you put the commands that are allowed from this host or hosts. Here's an example configuration:

    # The uptime command is allowed from any host
    [ ALL ]
    uptime

    # Localhost can list /tmp (now that's useless)
    [ 127.0.0.1 ]
    /bin/ls /tmp/

    # allow multiple machines by listing them together
    [ 127.0.0.1 10.0.0.256 ]
    rsync --server --sender -logtpr . /var/www/

    [ 192.168.192.283 ]
    /opt/bin/restart_dns

    # Need to imbed spaces? Use quotes.
    ls -l "/path/to/some graphic.png"

    ...

    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"6","type":"x","order":"1","pct":60,"resources":[]},{"id":"88","title":"Should be more technical","votes":"3","type":"x","order":"2","pct":30,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"1","type":"x","order":"3","pct":10,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.