Nerf an SSH login outside expected IP range
Can I restrict myself from certain actions when I SSH in from outside a certain IP range? For instance no sudo
?
Maybe with ~/.ssh/authorized_keys having a from="!1.2.3.4/26"
option with some kind of command="???"
?
1 answer
Yes. A command
stanza on an authorized key works like the ForceCommand
on SSHD Config. It runs the one specified command instead of your requested command or interactive session and then closes the connection. Obviously this is pretty restrictive, and no one would want to make one key per allowlisted command. But SSH sets an environment variable, $SSH_ORIGINAL_COMMAND
to the user's requested command.
If the ForceCommand
is a script, it can validate the original command and choose to execute it, execute something else, or just quit. There doesn't seem to be a standard practice for these.
-
Some people roll their own
case
statement with a list of allowed commands. (Some people accidentally do it wrong.) -
Other people have written longer scripts to manage the allowlists (
only
,sshdo
).
Care should be taken not to allow the user to escalate their own privileges or learn things to formulate a subsequent attack. If they can edit their authorized_keys to remove the hobbling, they can do anything else, right after.
0 comment threads