Command Execution During SSH Login

Automatic Execution of Remote Commands for SSH Enabled or Unix Sessions.

When establishing a remote session to a SSH-enabled endpoint this ultimately leaves the user at the terminal prompt to execute or access anything they are permissioned to do.

Although this may be desirable for most endpoints, there are instances where you may wish to restrict a user’s access to a single application.

This is where PAM’s automatic command execution can be utilized.

 

Using an PAM Unix Host Command record type, it first creates the remote session and then immediately executes a command before handing over controls to the user, optionally providing a password retrieved from the record to be used by the command to access a specific resource.

This allows you to provide a secure remote session to your Unix endpoint but limits their activities to the command that was initially executed.

 

For example, you want your Administrator to connect on your Unix endpoint to manage your MySQL production database but you don’t want them to have free-range on the endpoint to perform any other actions.

So you create the remote session using PAM which them immediately issues the command to connect to the MySQL database (without disclosing the password).

This keeps your Administrator within the boundaries of the MySQL prompt so they can perform their tasks.

Once finished, they can simply disconnect from MySQL and the remote session will end. Enable video and keystroke recording on this session for added security.

This is similar to the Remote Application functionality that is available for Windows sessions where specific applications are launched from a remote app host which sandboxes the user to work within this single, native application only.

 

To configure Automatic Command Execution for Browser-based or Native SSH Client Use:

  1. Login to PAM as a System Administrator and navigate to Administration > Record Types.
  2. Locate the Record Type Unix Host Command and click the Edit button.

    3. FAQ-Unix-Host-Command-Record-Type

  3. Uncheck the Hidden option and click Save.

  4. Return to the Record List and create a new record using the type Unix Host Command.

  5. Populate the values in the record as needed:

    1. Name: Enter a name for this new record.

    2. Description: Enter a description for this new record.

    3. Host: Enter the host name for your remote session.

    4. Port: Enter the port number for your remote session.

    5. User: Enter the user that will be used to create your remote session.

    6. Password: Enter the password for this user.

    7. Remote Command: Enter the remote command that will be automatically executed when the remote session is created. For example, to connect to a database using the MySQL client:

      mysql -u admin -p -h 10.0.0.33 Master.

    8. Command Password: If the remote command requires a password, enter this password to authorize this command. For example, the password for the -u admin in the previous Remote Command parameter.

      FAQ-Unix-Host-Command-Record

  6. Click Save and Return when finished.

With the record now created, test by establishing a browser-based session using the Connect option or use your native SSH client.

You should see that PAM creates the remote session and then automatically executes your Remote Command.

 

FAQ-Unix-Host-Command-Session

 

Note that command execution can be used with any other Unix record type like Unix Host with Key by simply adding these two fields (Command and CommandPassword) to the record type or using record type inheritance. Please see our article Creating Custom Record Types for additional information.