A forced command causes a specified application to run automatically when the user logs in. All other applications are implicitly denied.
If you have maintenance jobs requiring non-interactive access to your server, use public-key authentication and forced commands. This way, if the private key is compromised, the public key cannot be used to perform anything other than the predetermined command on the server. This is, of course, also bad, but it would be worse if the malicious attacker would have unrestricted access to the machine.
Do not use the root (administrator) account for jobs where it is not absolutely necessary.
You can set up a forced command in the ssh-server-config.xml
file.
<services> <rule group="backup"> <terminal action="deny" /> <!-- This account is only used to backup the disk drive. --> <subsystem type="sftp" application="sft-server-g3" action="deny" /> <command application="dd if=/dev/hda" action="forced" /> <tunnel-local action="deny" /> <tunnel-remote action="deny" /> </rule> ... </services>
This would, on a successful login as the group backup
,
force a backup job to start.
Using the Tectia Server Configuration GUI, the same setting can be made under the Services page on the Commands tab. See Commands.
You can also use the command that was given on the sshg3
command line:
<services> <rule group="admin"> <command application="echo $SSH2_ORIGINAL_COMMAND" action="forced" /> ... </rule> ... </services>
Running sshg3
:
$ sshg3 localhost kukkuu kukkuu $