From machine A, user-A
does an ssh
into th eaccount user-B
on server B
for a terminal session.
In the course of that session, it would be convenient to copy some data to A
's clipboard,
without using mouse to drag and click. Example use cases:
cat
files content into local clipboard. C.f.,cat <file> | xsel -i -b
orcat <file> | xclip -i -selection b
- While running the terminal editor
emacs
in the remote session, theC-c
key copies into local keyboard.
Suppose the user on A is user-A
. Suppose the user on B is user-B
.
At the same time we want to ensure that access by user-B
(or anybody else) to user-A
's account is limited
to the minimum required.
Suppose the user on A is user-A
.
From ssh session on B
cat <file> | ssh <user-A>@<host A> to_clipboard
This makes use of ssh
's built-in feature called command restriction or forced command.
See ssh.com, or
this serverfault.com question.
Suppose the user on B
is user-B
, and B has an ssh key id-clip
, that has been created in the usual way (ssh-keygen
).
The in user-A
's ssh directory there is a file
/home/user-A/.ssh/authorized_keys
Usually the contents of any line is exactly the public key being authorized, e.g., the contents of id-clip.pub
.
However, to enforce command restriction that public key content is prepended (on the same line) by the command to be executed.
In our case:
command="/home/craig/.ssh/allowed-commands.sh id-clip",no-agent-forwarding,no-port-forwarding,no-user-rc,no-x11-forwarding,no-pty
The designated command "/home/craig/.ssh/allowed-commands.sh id-clip"
, and only the designated command,
is executed on every ssh conection with the id-clip
key.
Our solution indicates a script file allowed-commands.sh
, and the contents of that that script file is
#/bin/bash
#
# You can have only one forced command in ~/.ssh/authorized_keys. Use this
# wrapper to allow several commands.
Id=${1}
case "$SSH_ORIGINAL_COMMAND" in
"to-clipboard")
notify-send "ssh to-clipboard, from ${Id}"
cat | xsel --display :0 -i -b
;;
*)
echo "Access denied"
exit 1
;;
esac
The original call to ssh
on machine B
was
... | ssh <user-A>@<host A> to_clipboard
The string to-clipboard
is passed to allowed-commands.sh
by the environment variable SSH_ORIGINAL_COMMAND
.
Addition, we have passed the name of the key, id-clip
, from the line in authorized_keys
which is only accessed by id-clip
.
The line
notify-send "ssh to-clipboard, from ${Id}"
is just a popup messagebox, useful for debugging especially if xsel
isn't working.
In the line
cat | xsel --display :0 -i -b
the parameter --display :0
is necessary because the process doesn't have it's own X display with a clipboard,
so it must be specificied explicitly. This value :0
happens to work on Ubuntu 18.04 with Wayland window server.
On other setups it might not work.
In /etc/ssh/sshd_config
on host A
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
AllowUsers user-A
To make the sshd
server re-read the config
sudo systemctl restart sshd.service
or
sudo service sshd.service restart
Modify .emacs
file to enable remote passing to local clipboard.
to be continued