DEV Community


Posted on


SSH Shibboleths

I'm a bad meeting attendee; 5 minutes into any slide deck I retreat into paranoid fantasies of network espionage. Last budget session fantasy-me needed a subtle back channel to indicate that I was operating from a compromised position, so regular me hacked-together a working prototype with bash init scripts, SSH key features, and a little-used SSH config file.

Commands in SSH keys

It's probably common knowledge that key values in the SSH authorized_keys file can be locked to a single command, so I'll just say that the regularly used SSH key for this system was altered to start with command="exec bash" to start an interactive shell.


Hosts using the OpenSSH daemon will process a user's $HOME/.ssh/rc file before sourcing the user's shell init scripts. By default sshd will not allow environment variables to be exported, but will happily execute shell scripts, so a simple instruction to run touch $HOME/.ssh.lck was added to create a lockfile. This has the helpful side-affect of not messing with console logins.


Last stop is to modify .bashrc to look for the ~/ssh/rc lockfile, set $PROMPT_COMMAND to execute a function for password-auth vs. ssh key-auth, and remove the lockfile.

if [[ -f .ssh.lck ]]
        if [[ $(ps axwww | awk '$1 == '"$$"' { print $NF }' | grep "bash") ]]
                function passworded() {
                        echo "User is password-authenticated"
                        unset PROMPT_COMMAND
                export PROMPT_COMMAND="passworded"

        rm .ssh.lck 2>/dev/null
        function keyed() {
                echo "User is SSH key-authenticated"
                unset PROMPT_COMMAND
        export PROMPT_COMMAND="keyed"

        rm .ssh.lck 2>/dev/null

The passworded and keyed functions should of course be tailored for your needs.

Top comments (0)

Timeless DEV post...

Git Concepts I Wish I Knew Years Ago

The most used technology by developers is not Javascript.

It's not Python or HTML.

It hardly even gets mentioned in interviews or listed as a pre-requisite for jobs.

I'm talking about Git and version control of course.

One does not simply learn git