Passing parameters to a SSH client to execute a ForceCommand with parameters

As already answered, the commandline sent from the ssh client is put into the SSH_ORIGINAL_COMMAND environment variable, only the ForcedCommand is executed.

If you use the information in SSH_ORIGINAL_COMMAND in your ForcedCommand you must take care of security implications. An attacker can augment your command with arbitrary additional commands by sending e.g. ; rm -rf / at the end of the commandline.

This article shows a generic script which can be used to lock down allowed parameters. It also contains links to relevant information.

The described method (the 'only' script) works as follows:

1. Make the 'only' script the ForcedCommand, and give it the allowed command as its parameter. Note that more then one allowed command may be used.

2. Put a .onlyrules files into the home directory of user_1 and fill it with rules (regular expressions) which are matched against the commandline sent by the ssh client.

Your example would look like:

Match User user_1
ForceCommand /usr/local/bin/only /home/user_1/user_1_shell

and if, for example, you want to allow as parameters only 'set_new_mode' with exactly two alphanumeric arbitrary parameters the .onlyrules file would look like this:

\:^/home/user_1/user_1_shell set_new_mode [[:alnum:]]\{1,\} [[:alnum:]]\{1,\}$:{p;q}

Note that for sending the command to the server you must use the whole commandline:

/home/user_1/user_1_shell set_new_mode param1 param2

'only' looks up the command on the server and uses its name for matching the rules. If any of these checks fail, the command is not run.

[Disclosure: I wrote sshdo which is described below]

There's a program called sshdo for doing this. It controls which commands may be executed via incoming ssh connections. It's available for download at:

http://raf.org/sshdo/ (read manual pages here)
https://github.com/raforg/sshdo/

It has a learning mode to allow all commands that are attempted, and a --learn option to produce the configuration needed to allow learned commands permanently. Then learning mode can be turned off and any other commands will not be executed.

It also has an --unlearn option to stop allowing commands that are no longer in use so as to maintain strict least privilege as requirements change over time.

It can also be configured manually.

It is very fussy about what it allows. It won't allow a command with any arguments. Only complete shell commands can be allowed. But it does support simple patterns to represent similar commands that vary only in the digits that appear on the command line (e.g. sequence numbers or date/time stamps).

It's like a firewall or whitelisting control for ssh commands.