gwpl/whitelisting_wrapper.sh

## whitelisting_wrapper.sh
#!/bin/bash

LOGFILE=/home/"${USER?}"/.ssh_last_wrapper_invocation_error.log
SSHHISTORY=/home/"${USER?}"/.ssh_commands_history
ALLOWED_COMMANDS=/etc/ssh/users_configs/"${USER?}"/allowed_commands

if [ "$1" == 'make_files_for_user' ]; then
if [ -z "$2" -o -z "$3" ]; then
  echo Usage: $0 make_files_for_user Username Groupname
  exit 1
else
  echo Might be required to run this as root
  username="$2"
  groupname="$3"
  LOGFILE=/home/"${username?}"/.ssh_last_wrapper_invocation_error.log
  SSHHISTORY=/home/"${username?}"/.ssh_commands_history
  ALLOWED_COMMANDS=/etc/ssh/users_configs/"${username?}"/allowed_commands
  touch ${LOGFILE?} ${SSHHISTORY?} ${ALLOWED_COMMANDS?}
  chown -v ${username?}:${groupname?} ${LOGFILE?} ${SSHHISTORY?}
  chmod -v 0700 ${LOGFILE} ${SSHHISTORY}
  exit 0
fi
fi

(
echo "##########################################"
date
echo "### Invocation of this script: \$@ : $@ ###"
echo "### $ $SSH_ORIGINAL_COMMAND ###"
) >> "${LOGFILE?}"

(
echo -n '# '
date
echo $SSH_ORIGINAL_COMMAND
) >> "${SSHHISTORY?}"

if grep -Fxq "$SSH_ORIGINAL_COMMAND" "${ALLOWED_COMMANDS?}" ; then
        echo "# Allowed: Found in ALLOWED_COMMANDS file : ${ALLOWED_COMMANDS?}" >> "${SSHHISTORY?}"
        eval $SSH_ORIGINAL_COMMAND 2>>${LOGFILE?}
        exit $?
fi

case "$SSH_ORIGINAL_COMMAND" in
        'internal-sftp')
                echo "# Allowed." >> "${SSHHISTORY?}"
                /usr/lib/sftp-server
                ;;
        '/bin/true' \
        |'rsync --server --sender -logDtpre.iLsfxC . /home/'"${USER}" \
        |'rsync --server --sender -vlogDtpre.iLsfxC . /home/'"${USER}" )
                echo "# Allowed." >> "${SSHHISTORY?}"
                eval $SSH_ORIGINAL_COMMAND 2>>${LOGFILE?}
                exit $?
                ;;
        *)
                echo "# Denied." >> "${SSHHISTORY?}"
                (
                date
                echo "Sorry. Command not available to you."
                ) | tee -a "${LOGFILE?}"
                exit 1
                #exit 0
                ;;
esac
	#!/bin/bash

	LOGFILE=/home/"${USER?}"/.ssh_last_wrapper_invocation_error.log
	SSHHISTORY=/home/"${USER?}"/.ssh_commands_history
	ALLOWED_COMMANDS=/etc/ssh/users_configs/"${USER?}"/allowed_commands

	if [ "$1" == 'make_files_for_user' ]; then
	if [ -z "$2" -o -z "$3" ]; then
	echo Usage: $0 make_files_for_user Username Groupname
	exit 1
	else
	echo Might be required to run this as root
	username="$2"
	groupname="$3"
	LOGFILE=/home/"${username?}"/.ssh_last_wrapper_invocation_error.log
	SSHHISTORY=/home/"${username?}"/.ssh_commands_history
	ALLOWED_COMMANDS=/etc/ssh/users_configs/"${username?}"/allowed_commands
	touch ${LOGFILE?} ${SSHHISTORY?} ${ALLOWED_COMMANDS?}
	chown -v ${username?}:${groupname?} ${LOGFILE?} ${SSHHISTORY?}
	chmod -v 0700 ${LOGFILE} ${SSHHISTORY}
	exit 0
	fi
	fi

	(
	echo "##########################################"
	date
	echo "### Invocation of this script: \$@ : $@ ###"
	echo "### $ $SSH_ORIGINAL_COMMAND ###"
	) >> "${LOGFILE?}"

	(
	echo -n '# '
	date
	echo $SSH_ORIGINAL_COMMAND
	) >> "${SSHHISTORY?}"

	if grep -Fxq "$SSH_ORIGINAL_COMMAND" "${ALLOWED_COMMANDS?}" ; then
	echo "# Allowed: Found in ALLOWED_COMMANDS file : ${ALLOWED_COMMANDS?}" >> "${SSHHISTORY?}"
	eval $SSH_ORIGINAL_COMMAND 2>>${LOGFILE?}
	exit $?
	fi

	case "$SSH_ORIGINAL_COMMAND" in
	'internal-sftp')
	echo "# Allowed." >> "${SSHHISTORY?}"
	/usr/lib/sftp-server
	;;
	'/bin/true' \
	\|'rsync --server --sender -logDtpre.iLsfxC . /home/'"${USER}" \
	\|'rsync --server --sender -vlogDtpre.iLsfxC . /home/'"${USER}" )
	echo "# Allowed." >> "${SSHHISTORY?}"
	eval $SSH_ORIGINAL_COMMAND 2>>${LOGFILE?}
	exit $?
	;;
	*)
	echo "# Denied." >> "${SSHHISTORY?}"
	(
	date
	echo "Sorry. Command not available to you."
	) \| tee -a "${LOGFILE?}"
	exit 1
	#exit 0
	;;
	esac