loading...

SSH Shibboleths

lbonanomi profile image lbonanomi ・2 min read

I'm a bad meeting attendee; 5 minutes into any slide deck I retreat into paranoid fantasies of network espionage. Last budget session fantasy-me needed a subtle back channel to indicate that I was operating from a compromised position, so regular me hacked-together a working prototype with bash init scripts, SSH key features, and a little-used SSH config file.

Commands in SSH keys

It's probably common knowledge that key values in the SSH authorized_keys file can be locked to a single command, so I'll just say that the regularly used SSH key for this system was altered to start with command="exec bash" to start an interactive shell.

sshrc

Hosts using the OpenSSH daemon will process a user's $HOME/.ssh/rc file before sourcing the user's shell init scripts. By default sshd will not allow environment variables to be exported, but will happily execute shell scripts, so a simple instruction to run touch $HOME/.ssh.lck was added to create a lockfile. This has the helpful side-affect of not messing with console logins.

bashrc

Last stop is to modify .bashrc to look for the ~/ssh/rc lockfile, set $PROMPT_COMMAND to execute a function for password-auth vs. ssh key-auth, and remove the lockfile.

if [[ -f .ssh.lck ]]
then
        if [[ $(ps axwww | awk '$1 == '"$$"' { print $NF }' | grep "bash") ]]
        then
                function passworded() {
                        echo "User is password-authenticated"
                        unset PROMPT_COMMAND
                }
                export PROMPT_COMMAND="passworded"
        fi

        rm .ssh.lck 2>/dev/null
else
        function keyed() {
                echo "User is SSH key-authenticated"
                unset PROMPT_COMMAND
        }
        export PROMPT_COMMAND="keyed"

        rm .ssh.lck 2>/dev/null
fi

The passworded and keyed functions should of course be tailored for your needs.

Discussion

pic
Editor guide