Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia

Forced Commands

A forced command causes a specified application to run automatically when the user logs in. All other applications are implicitly denied.

If you have maintenance jobs requiring non-interactive access to your server, use public-key authentication and forced commands. This way, if the private key is compromised, the public key cannot be used to perform anything other than the predetermined command on the server. This is, of course, also bad, but it would be worse if the malicious attacker would have unrestricted access to the machine.

Do not use the root (administrator) account for jobs where it is not absolutely necessary.

You can set up a forced command in the ssh-server-config.xml file.

<services>
  <rule group="backup">
    <terminal action="deny" />
    <!-- This account is only used to backup the disk drive. -->
    <subsystem type="sftp" application="sft-server-g3" action="deny" />
    <command application="dd if=/dev/hda" action="forced" />
    <tunnel-local action="deny" />
    <tunnel-remote action="deny" />
  </rule>
  ...
</services>

This would, on a successful login as the group backup, force a backup job to start.

Using the SSH Tectia Server Configuration GUI on Windows, the same setting can be made under the Services page on the Commands tab. See Commands.

You can also use the command that was given on the sshg3 command line:

<services>
  <rule group="admin">
    <command application="echo $SSH2_ORIGINAL_COMMAND" action="forced" />
    ...
  </rule>
  ...
</services>

Running sshg3:

$ sshg3 localhost kukkuu
kukkuu
$


 

 
PrivX
 

 

 
What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.



    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH



    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now