-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathssh_gatekeeper.sh
executable file
·78 lines (68 loc) · 2.5 KB
/
ssh_gatekeeper.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#
## Calomel.org ssh_gatekeeper.sh
#
## This script is run by the ForceCommand directive in the sshd_config. It expects
## the user SSH'ing to the box to answer the $QUERY question before being allowed
## a shell. Permissions of this script should be owned by root and executable by
## all other users (chmod 755)". Rsync, sftp and sshfs are allowed through,
## but scp is denied.
#
## Disconnect clients who try to quit the script (Ctrl-c)
trap jail INT
jail()
{
kill -9 $PPID
exit 0
}
## Allow SSH. Clients can ssh to the box and then answer the $QUERY question.
if [ -z "$SSH_ORIGINAL_COMMAND" ];
then
## This is the question the client needs to know the answer to.
## Here we are asking for the current minute, day of the month
## and hour (24-hour time). If the date is "Mon Jan 10 13:25:00 EST 2020"
## then the answer is "251013"
#QUERY=`date +%M%d%H`
### The welcome message. This can be helpful or completely arbitrary
### depending on your user. Here we use a random quote as we are
### expecting the user to already know the question.
echo ""
echo " All truths are easy to understand once they are"
echo " discovered; the point is to discover them."
echo " -Galileo Galilei"
echo ""
### The Decision
### If the answer is correct give the user their shell.
### If the answer is wrong, log the attempt and kill the connection.
pam=`pam_proxy $USER`
if [ $? -eq 0 ];
then
echo 'Authenticated'
$SHELL -l
exit 0
else
logger "ssh_gatekeeper $USER login failed from $SSH_CLIENT"
echo 'Authentication falied'
kill -9 $PPID
exit 0
fi
fi
## Allow RSYNC. Rsync can not be used with the question above.
## We need to let the command though so our shell environment is clean.
if [ `echo $SSH_ORIGINAL_COMMAND | awk '{print $1}'` = rsync ];
then
$SHELL -c "$SSH_ORIGINAL_COMMAND"
exit 0
fi
## Allow sftp and sshfs. Make sure the path to your sftp-server binary
## is correctly expressed below. We need to let the command though so
## our shell environment is clean.
if [ `echo $SSH_ORIGINAL_COMMAND | awk '{print $1}'` = "/usr/lib/openssh/sftp-server" ];
then
$SHELL -c "$SSH_ORIGINAL_COMMAND"
exit 0
fi
## Default deny. This is the last command to catch all other command
## input. If the client tries to use anything other than ssh or rsync
## the connection is dropped. SCP is denied.
kill -9 $PPID
exit 0