Skip to content

Instantly share code, notes, and snippets.

@craigphicks

craigphicks/secure-ssh-copy-to-remote-server.md

Last active March 12, 2019 23:06
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save craigphicks/ef72537504b3801ba713eb66ba655c4d to your computer and use it in GitHub Desktop.
Save craigphicks/ef72537504b3801ba713eb66ba655c4d to your computer and use it in GitHub Desktop.
Download ZIP
How to send data to local clipboard from a remote SSH session
Raw
secure-ssh-copy-to-remote-server.md

secure ssh copy to remote server

motivation

From machine A, user-A does an sshinto th eaccount user-B on server B for a terminal session.
In the course of that session, it would be convenient to copy some data to A's clipboard, without using mouse to drag and click. Example use cases:

  1. cat files content into local clipboard. C.f., cat <file> | xsel -i -b or cat <file> | xclip -i -selection b
  2. While running the terminal editor emacs in the remote session, the C-c key copies into local keyboard.

Suppose the user on A is user-A. Suppose the user on B is user-B.

At the same time we want to ensure that access by user-B (or anybody else) to user-A's account is limited to the minimum required.

solution to use case 1

Suppose the user on A is user-A.

From ssh session on B

cat <file> | ssh <user-A>@<host A> to_clipboard

This makes use of ssh's built-in feature called command restriction or forced command. See ssh.com, or this serverfault.com question.

Suppose the user on B is user-B, and B has an ssh key id-clip, that has been created in the usual way (ssh-keygen).

The in user-A's ssh directory there is a file

/home/user-A/.ssh/authorized_keys

Usually the contents of any line is exactly the public key being authorized, e.g., the contents of id-clip.pub.

However, to enforce command restriction that public key content is prepended (on the same line) by the command to be executed.
In our case:

command="/home/craig/.ssh/allowed-commands.sh id-clip",no-agent-forwarding,no-port-forwarding,no-user-rc,no-x11-forwarding,no-pty

The designated command "/home/craig/.ssh/allowed-commands.sh id-clip", and only the designated command, is executed on every ssh conection with the id-clip key.

Our solution indicates a script file allowed-commands.sh, and the contents of that that script file is

#/bin/bash
#
# You can have only one forced command in ~/.ssh/authorized_keys. Use this
# wrapper to allow several commands.

Id=${1}

case "$SSH_ORIGINAL_COMMAND" in
    "to-clipboard")
	      notify-send "ssh to-clipboard, from ${Id}"
        cat | xsel --display :0 -i -b
	      ;;
    *)
        echo "Access denied"
        exit 1
        ;;
esac

The original call to ssh on machine B was

... | ssh <user-A>@<host A> to_clipboard

The string to-clipboard is passed to allowed-commands.sh by the environment variable SSH_ORIGINAL_COMMAND. Addition, we have passed the name of the key, id-clip, from the line in authorized_keyswhich is only accessed by id-clip.

The line

	      notify-send "ssh to-clipboard, from ${Id}"

is just a popup messagebox, useful for debugging especially if xsel isn't working.

In the line

cat | xsel --display :0 -i -b

the parameter --display :0 is necessary because the process doesn't have it's own X display with a clipboard, so it must be specificied explicitly. This value :0 happens to work on Ubuntu 18.04 with Wayland window server.
On other setups it might not work.

/etc/ssh/sshd_config parameters

In /etc/ssh/sshd_config on host A

PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
AllowUsers user-A

To make the sshd server re-read the config

sudo systemctl restart sshd.service

or

sudo service sshd.service restart

sulution to use case 2 (emacs cut, copy)

Modify .emacs file to enable remote passing to local clipboard.

to be continued

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment