Join Log in
Score:1
Rino Bino avatar Server

SSH config: How to automatically execute an interactive script locally before connection?

us flag
Rino Bino

Background:

I have a local script that needs to execute locally as a pre-requisite to making an ssh connection.

The script is already working, but currently users need to run the script, then make an ssh connection - two steps. I would like that to happen in one step.

Example script run, from the users perspective:

$ /scripts/generate-mfa-auth.sh
MFA Code: 12345
Configuring authorized_keys...
Success. You can now connect over ssh.

$ ssh me@host.local.example.com

Goal / Problem:

I want this script to allow user input when triggered from ssh config.

For example, this below ssh config executes the script properly, but it does not allow the user to interact and the user is never shown any stdout of the script:

Match host bastion* exec "/scripts/generate-mfa-auth.sh"

Host bastion1.local.example.com
 IdentityFile ~/.ssh/my-bastion-ssh-key

Host *local.example.com !bastion1.local.example.com
 IdentityFile ~/.ssh/my-target-ssh-key
 ProxyCommand ssh ubuntu@bastion1.example.com -W %h:%p

Question:

Is there any way to have this script work interactively when called from ssh config?

375
1 + 3
ssh
Andrew Lowther avatar
es flag
Andrew Lowther
It sounds like you want an interactive script to provide MFA. Your best option for a custom script will probably be something involving `pam_exec`. I would encourage you to look at existing solutions like `pam_oath.so`/`oathtool`, and `google-authenticator`.
0
Reply
Rino Bino avatar
us flag
Rino Bino
Thanks, yea MFA is already working and the script is already working. Currently users need to run the script, then make an ssh connection.... I would like that to happen in one step.
0
Reply
Andrew Lowther avatar
es flag
Andrew Lowther
I didn't realize the script ran locally so my first comment is not relevant. I added an answer that uses a fairly common pattern to change a command's behavior.
0
Reply
Score:0
Andrew Lowther avatar Server
es flag
Andrew Lowther

I'm not aware of a way to do this with ssh configuration, but a fairly common solution is creating a script that is installed earlier in the PATH. For example

install -m 0755 -o root -g root /dev/null /usr/local/bin/ssh
cat <<EOF > /usr/local/bin/ssh
#!/usr/bin/env bash

read -p "mfa prompt: " my_input
echo $my_input
/usr/bin/ssh "$@"
EOF

Other common suggestions involve creating an alias or a function to do the same thing.

links

+ 1
Rino Bino avatar
us flag
Rino Bino
This is the correct answer. There is no way to do this directly with ssh config `exec`
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.