I'm a bad meeting attendee; 5 minutes into any slide deck I retreat into paranoid fantasies of network espionage. Last budget session fantasy-me needed a subtle back channel to indicate that I was operating from a compromised position, so regular me hacked-together a working prototype with bash init scripts, SSH key features, and a little-used SSH config file.
Commands in SSH keys
It's probably common knowledge that key values in the SSH authorized_keys
file can be locked to a single command, so I'll just say that the regularly used SSH key for this system was altered to start with command="exec bash"
to start an interactive shell.
sshrc
Hosts using the OpenSSH daemon will process a user's $HOME/.ssh/rc
file before sourcing the user's shell init scripts. By default sshd will not allow environment variables to be exported, but will happily execute shell scripts, so a simple instruction to run touch $HOME/.ssh.lck
was added to create a lockfile. This has the helpful side-affect of not messing with console logins.
bashrc
Last stop is to modify .bashrc
to look for the ~/ssh/rc
lockfile, set $PROMPT_COMMAND
to execute a function for password-auth vs. ssh key-auth, and remove the lockfile.
if [[ -f .ssh.lck ]]
then
if [[ $(ps axwww | awk '$1 == '"$$"' { print $NF }' | grep "bash") ]]
then
function passworded() {
echo "User is password-authenticated"
unset PROMPT_COMMAND
}
export PROMPT_COMMAND="passworded"
fi
rm .ssh.lck 2>/dev/null
else
function keyed() {
echo "User is SSH key-authenticated"
unset PROMPT_COMMAND
}
export PROMPT_COMMAND="keyed"
rm .ssh.lck 2>/dev/null
fi
The passworded
and keyed
functions should of course be tailored for your needs.
Top comments (0)