1

I have a private network of Centos 7 servers. Each of the servers can only be reached via an SSH bastion. Furthermore, all of these servers use SSSD to authenticate SSH users' keys against an LDAP directory.

Because keys are authenticated against an LDAP directory, there isn't a standard authorized_keys file. Instead of a standard authorized_keys file, the binary /usr/bin/sss_ssh_authorizedkeys pipes a query against LDAP to sshd formatted as an authorized_keys file--but not actually as a file. So, limiting users to particular commands by binding RSA keys to commands=" ... " entries is not possible, as far as I know.

SSH users are able to authenticate through the bastion to their workstations using the following command:

ssh -A -l joe.user@directory.service joes.workstation.ip -o ProxyCommand="ssh -l joe.user@directory.service -q bastion.ip nc joes.workstation.ip %p"

Unfortunately, they are also able to SSH into a session on the bastion server, something I would not like them to be able to do.

Is there anyway I can use my current tools--SSSD, SSHD, an LDAP directory--to allow SSH users through the bastion, but not into the bastion?

StudentsTea
  • 165
  • 9
  • Would it help to use the shell_override parameter of SSSD and set a restricted shell? – jhrozek Oct 14 '15 at 14:07
  • I think using `shell_override` in `sssd.config` might do the trick. Only--how do I set up a specialized shell that only allows users to run the proxy command listed in the original post? If you can help me with that, all the upvotes to you, sir. :) – StudentsTea Oct 14 '15 at 17:42

1 Answers1

0

The version of sssd that allows you to set configurations on a per-group basis was still in development when I ran into this problem.

I ended up adding a ForceCommand entry to my sshd_config under a Match directive, as well as a AcceptEnv directive:

Match Group thisGroup@directory.service
  AcceptEnv SomeVariable
  AcceptEnv SomeOtherVariable
  ForceCommand /path/to/some/script/I/wrote

Then, in the shell script, I use the variables passed by the ssh client to perform some action.

For example, if the client called this:

$ SomeVariable=foo ssh -i path/to/key -l joe@directory.service -o SendEnv=SomeVariable bastion.server

The script will have access to an environment variable SomeVariable; access it using whatever language you like, using it to take some action.

Be sure your script doesn't exit into a shell session on the bastion.

StudentsTea
  • 165
  • 9