Last active
March 11, 2017 20:20
-
-
Save mmmaly/5783581 to your computer and use it in GitHub Desktop.
Use ssh certificates to set up a forced command for a simple server monitoring with one-year validity.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Create the "certification authority". The private key of CA does not have to (and must not) be copied anywhere. | |
| user@home$ ssh-keygen /home/user/.ssh/certification_authority | |
| # Make CA public key trusted on a server. | |
| user@home$ scp /home/user/.ssh/certification_authority.pub root@server: | |
| root@server# cd; (echo -n "cert-authority "; cat certification_authority.pub ) >> .ssh/authorized_keys | |
| # Generate a certificate for any command you can think of | |
| # Example -- command: "tailf /var/log/messages" validity: 52 weeks from now Permissions: none (no forwarding etc.) | |
| user@home$ ssh-keygen -f tailfmessages.key | |
| user@home$ ssh-keygen -V +52w -s .ssh/certification_authority -I tailfmessages.key -O clear -O force-command="tailf /var/log/messages" tailfmessages.key.pub | |
| # Copy the certificate to any other server and use it | |
| # Note: The CA private key is not transferred. | |
| # Result: The agent's session will be limited to executing that one specified command. | |
| user@home$ scp tailfmessages.key* agent@monitoring: | |
| agent@monitoring$ date; while true; do ssh -o ServerAliveInterval=60 -i tailfmessages.key root@server; date; sleep 10; done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment