Your browser does not allow storing cookies. We recommend enabling them.

Tectia

Forced Commands

A forced command causes a specified application to run automatically when the user logs in. All other applications are implicitly denied.

If you have maintenance jobs requiring non-interactive access to your server, use public-key authentication and forced commands. This way, if the private key is compromised, the public key cannot be used to perform anything other than the predetermined command on the server. This is, of course, also bad, but it would be worse if the malicious attacker would have unrestricted access to the machine.

Do not use the root (administrator) account for jobs where it is not absolutely necessary.

You can set up a forced command in the ssh-server-config.xml file.

<services>
  <rule group="backup">
    <terminal action="deny" />
    <!-- This account is only used to backup the disk drive. -->
    <subsystem type="sftp" application="sft-server-g3" action="deny" />
    <command application="dd if=/dev/hda" action="forced" />
    <tunnel-local action="deny" />
    <tunnel-remote action="deny" />
  </rule>
  ...
</services>

This would, on a successful login as the group backup, force a backup job to start.

Using the Tectia Server Configuration GUI, the same setting can be made under the Services page on the Commands tab. See Commands.

You can also use the command that was given on the sshg3 command line:

<services>
  <rule group="admin">
    <command application="echo $SSH2_ORIGINAL_COMMAND" action="forced" />
    ...
  </rule>
  ...
</services>

Running sshg3:

$ sshg3 localhost kukkuu
kukkuu
$


 

 
Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more