authcmd

This is an attempt to port the 'only' script from MagmaSoft. The goal is to provide a way to control ssh access to a environnement with allowed/forbidden commands/arguments and replace.

The idea is to use the command parameter of the authorized_keys file which force the execution of a command when logging with a certain key.

authcmd still need tests and is not ready for any kind of serious usage.

Any contribution is welcome

Usage

• Clone and compile authcmd :

github.com/dranih/authcmd
go build

• Put the authcmd binary in the PATH of the server to which the clients will ssh

• Configure the option file authcmd.yml with the allowed/forbidden commands/arguments and set env var AUTHCMD_CONFIG_FILE to it location or put it in your $HOME

• Add a line to the ~/.ssh.authorized_keys :

command="authcmd <tag1> <tag2>" ssh-rsa AAAAB3N....

Configuration

Dependencies

• gopkg.in/yaml.v3 to parse yaml config file

To-do

• Sanitize command if using shell, multi-command option (; delimiter, each command is checked)
• More tests
• Better readme (add some use cases)
• Comment code
• Add a github pipeline for testing and building
• Add a log rotate mecanism
• Add a validation regex string option for each commands
• Add an option to set an env variable (for exemple set different env vars depending on clients)
• Add a way to distinct clients (maybe remove commands as main args and only take on client arg). This way we could allow/disallow commands to specific users