ryan at islandzero.net
2017-Aug-26 07:51 UTC
How to handle scp connection with custom command
Hi, everyone I?m developing an internal bastion system for my company. It synchronize ssh public keys to ?~/.ssh/authorized_keys? and set ?COMMAND? option to attach different Docker container for different user. Basically something like this: restrict,pty,command=?/usr/bin/docker exec -ti bunker-1-ryan /bin/bash" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQg401lnhl+hNzFpESjN+XvBkR/swIaHYP1no8lmcUJB25OF5ZP6vAN4Nh2EqULqUQ8tSpuFzistO+SwIn10OM8bzAy/OEWoHQUcjvJ1aS4kyZi9HKmfj66K7Mnm78Q7uc1jiDAzn0aZkQzR7hVj0jSXRXD68Q7el3DllgunyfsQs4yXroAFHO6g+mcO8jd71jZx0nB3dpnSlqJuFGl5nJlWoSaw6aTrW0wYdVk/YqpQtYGOGS/lzLvUj0eMIIYZ2w3L+ZVSFPcWkgf80TPVvQD6kmlWcbStR4xNW2dmL09WlYH+SLPu4BCvvPU0vCO83Y+u2qSqBTRKA/S0Xm0Nx1 ryan at islandzero.net But the problem is ?scp' does not work, I wonder how to handle ?scp' requests with custom COMMAND option. Thanks. Yanke Guo (Ryan) ryan at islandzero.net -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Message signed with OpenPGP URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170826/91f02a4a/attachment.asc>
On 26 August 2017 at 17:51, <ryan at islandzero.net> wrote:> Hi, everyone > > I?m developing an internal bastion system for my company. > > It synchronize ssh public keys to ?~/.ssh/authorized_keys? and set > ?COMMAND? option to attach different Docker container for different user. > > Basically something like this: > > restrict,pty,command=?/usr/bin/docker exec -ti bunker-1-ryan /bin/bash" > ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQg401lnhl+hNzFpESjN+XvBkR/ > swIaHYP1no8lmcUJB25OF5ZP6vAN4Nh2EqULqUQ8tSpuFzistO+SwIn10OM8bzAy/ > OEWoHQUcjvJ1aS4kyZi9HKmfj66K7Mnm78Q7uc1jiDAzn0aZkQzR7hVj0jSX > RXD68Q7el3DllgunyfsQs4yXroAFHO6g+mcO8jd71jZx0nB3dpnSlqJuFGl5nJl > WoSaw6aTrW0wYdVk/YqpQtYGOGS/lzLvUj0eMIIYZ2w3L+ > ZVSFPcWkgf80TPVvQD6kmlWcbStR4xNW2dmL09WlYH+SLPu4BCvvPU0vCO83Y+u2qSqBTRKA/S0Xm0Nx1 > ryan at islandzero.net > > But the problem is ?scp' does not work, I wonder how to handle ?scp' > requests with custom COMMAND option. >scp sends the command "scp -t [args]" (see [1]) the remote end and your forced command is not going to allow running non-interactive commands like that. [1] https://web.archive.org/web/20170215184048/https://blogs.oracle.com/janp/entry/how_the_scp_protocol_works -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.