1
1
Fork
You've already forked sshdo
0
controls which commands may be executed via incoming ssh https://raf.org/sshdo
  • Python 96.6%
  • HTML 1.8%
  • Makefile 1.6%
2025年07月28日 00:57:33 +10:00
.reuse 1.1.1 (20230619) 2023年06月19日 15:29:26 +10:00
LICENSES Add LICENSES/* and .reuse/dep5 (REUSE 3.0 compliant) 2023年03月20日 10:23:11 +11:00
.gitignore Remove generated manual entries from repo 2024年04月19日 12:51:04 +10:00
CHANGELOG 1.1.1 (20230619) 2023年06月19日 15:29:26 +10:00
CODE_OF_CONDUCT.md Add CODE_OF_CONDUCT.md 2021年09月08日 16:03:39 +10:00
configure Add ./configure --with-python=name-or-path (suggested by Ryan Schmidt) 2023年09月02日 17:00:58 +10:00
COPYING 1.1.1 (20230619) 2023年06月19日 15:29:26 +10:00
index.html 1.1.1 (20230619) 2023年06月19日 15:29:26 +10:00
INSTALL 1.1.1 (20230619) 2023年06月19日 15:29:26 +10:00
LICENSE Replace original June 1991 GPLv2 with February 1999 (post-LGPLv2.1) GPLv2 2021年09月14日 15:47:33 +10:00
Makefile Add ./configure --with-python=name-or-path (suggested by Ryan Schmidt) 2023年09月02日 17:00:58 +10:00
README.md 1.1.1 (20230619) 2023年06月19日 15:29:26 +10:00
sshdo Avoid python-3.12+ syntax warnings relating to regex backslash notation 2025年07月28日 00:57:33 +10:00
sshdo.8.pod 1.1.1 (20230619) 2023年06月19日 15:29:26 +10:00
sshdo.banner Initial version. 2018年08月08日 08:08:08 +10:00
sshdoers Initial version. 2018年08月08日 08:08:08 +10:00
sshdoers.5.pod 1.1.1 (20230619) 2023年06月19日 15:29:26 +10:00
test_sshdo Avoid python-3.12+ syntax warnings relating to regex backslash notation 2025年07月28日 00:57:33 +10:00

README

sshdo - controls which commands may be executed via incoming ssh

DESCRIPTION

sshdo provides an easily configurable way of controlling which commands may be executed via incoming ssh connections.

An ssh public key in a ~/.ssh/authorized_keys file can have a command="" option which forces a particular command to be executed when the key is used to authenticate an ssh connection. This is a security control that mitigates against private key compromise.

This is great when you only need to execute a single command. But if you need to perform multiple tasks, you would normally need to create and install a separate key pair for each command, or just not bother making use of forced commands and allow the key to be used to execute any command.

Instead, you can make sshdo act as the forced command, and when an ssh connection tries to execute a command, sshdo will consult the configuration files, /etc/sshdoers and /etc/sshdoers.d/*, to decide whether or not the user and key are allowed to execute the command. The requested command is only executed if it is allowed by the configuration.

This makes it possible to use a single authorized key for any number of commands and still prevent its use for any other purpose.

You will need to identify which commands need to be allowed by each user and authorized key. To make this easy, sshdo can be put into training mode where it will allow (and log) the execution of all commands.

After some time, sshdo can then learn from the logs and create the configuration necessary to allow the commands that were encountered during training mode.

It can also unlearn occasionally and create a new configuration that will no longer allow commands that no longer appear to be in use. This can help to maintain strict least privilege.

FROM

URL: https://raf.org/sshdo
GIT: https://github.com/raforg/sshdo
GIT: https://codeberg.org/raforg/sshdo
Date: 20230619
Author: raf <raf@raf.org>