You can "force" commands to be run on a login for a specific user in ~/.ssh/authorized_keys
To always run the /home/deployuser/deploy.sh
command:
command="DEPLOY_USER='arthur.schreiber@hp.com' /home/deploy/deploy.sh $SSH_ORIGINAL_COMMAND",no-agent-forwarding,no-user-rc,no-X11-forwarding,no-port-forwarding" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1JnkxQDucKWOAD8QsmAVlXT0trq/QmtKeGkL+a6QUvctKBpe8qLuYUyGEgn+GvGwP9IqDZPYXBP0andFvim+40QKworx9oALuIei5rIWM3fCIbY0lTdM6gZVgTdYBNryW5axeuwsXjuT/i5lE+lA1JxQ5LjTq7n5gbT8tus4FbHySSkmrWmoz9rh8m9bULnmGquDQw6+xCbPFteVUhEDRsCsmlUldLMatMDuQ5hnhz0mKU41sqs+EPtmYh6pG/ofpyURMsR7/C/Rf1/i6AB9Mb3WqQOGE2x3cj+sj0vILiuHsnEx32qpNDvqrE+scRjcRsKIiaTSD4jqO9Mws5Ob7w==
command="DEPLOY_USER='arthur.schreiber@hp.com' /home/deploy/deploy.sh $SSH_ORIGINAL_COMMAND",no-agent-forwarding,no-user-rc,no-X11-forwarding,no-port-forwarding" <jenkins pub>
command="DEPLOY_USER='arthur.schreiber@hp.com' /home/deploy/deploy.sh $SSH_ORIGINAL_COMMAND",no-agent-forwarding,no-user-rc,no-X11-forwarding,no-port-forwarding" <ldap pub>
command="DEPLOY_USER='slawek@hp.com' /home/deploy/deploy.sh $SSH_ORIGINAL_COMMAND",no-agent-forwarding,no-user-rc,no-X11-forwarding,no-port-forwarding" <your key>
E.g.
ssh deploy@myhost restart
DEPLOY_USER='arthur.schreiber@hp.com' /home/deploy/deploy.sh restart
git push deploy@myhost:myapp.git
And with this deploy.sh
:
# $DEPLOY_USER can be used to log the user that is performing the deployment.
case "$1" in
restart)
# Log the action, restart the application
;;
deploy)
# Log the action, deploy & restart the application
;;
status)
# Log the action, send application status back to the user
;;
*)
# This could be extended with custom hooks or something like that
exit 1
;;
esac;
This would allow a user to execute the following:
To run a deployment: ssh deploy@some-host deploy
To show server status:
ssh deploy@some-host status
To list all commands:
ssh deploy@some-host