Safely allow non-root SSH users to run sudo or other privileged commands (like ZFS send) by requiring each command to match a fixed list of strings and regexes
The allowed commands can be configured by editing the strings and patterns in the script. As provided, it is set up to allow a sensible set of commands for secure remote backup of encrypted ZFS filesystems by the current version of Jim Salter's excellent Sanoid and Syncoid utilities (although you would still need to change your pool and dataset names).
The script logs both allowed and rejected commands, so that you can use trial and error to identify what commands third party utilities might be generating on your behalf.
*nix type operating system (this was tested on Ubuntu 20.04) with an ssh server and a recent version of Ruby.
-
copy the ssh-allow-list.sh script to somewhere secure on the server that can still be read by unprivileged users, like /usr/local/bin
-
you might end up wanting to have different versions of this script for different users or tasks, so change the name of the script to something meaningful. For example I use this script to control ZFS send commands issued by an unprivileged backup user, so I renamed the script to /usr/local/bin/wrap-zfs-send
-
set up an unprivileged SSH user. We are going to make sure that this user is not able to actually log into the server, but will only be able to run a defined set of commands remotely, using ssh -i ~/.ssh/privkeyfile user@host 'somecommand' syntax.
-
Set the unprivileged user's password to something random and then forget it, optionally also block this user from using password login in your sshd config. You don't ever want anyone logging in as this user via a password.
-
Put the user's public SSH key in their /home/username/.ssh/authorized_keys file, and use the command= syntax to make sure that when they log in, the ssh-allow-list script is run instead of their receiving a login. The script will then figure out what command they submitted as part of the ssh connection, validate it, and run it if it is legit, e.g.:
command="/usr/local/bin/wrap-zfs-send",restrict ssh-ed25519 AA....NB4 backupuser@backupserver
-
Give the user the sudo permission (or ZFS permissions or whatever) that will be needed for the commands they will be submitting to run successfully.
-
Edit the specific instance of the script that you made (e.g. /usr/local/bin/wrap-zfs-send) and make sure that the log file location and the allowed list are correct.
-
That should be it. Simply access the server using ssh -i ~/.ssh/privkeyfile user@host 'somecommand' syntax.
Errata: Let me know if you have any trouble using this, and I'll put any fixes here :)