EC2 - run a script immediately after ssh login?

Answers

Well, first of all, just put a passphrase on your private key with ssh-keygen -p.

Then, there are several ways to get control after login.

One is via a per-user shell startup file or the /etc shell startup file that some shells have.¹
Another way (won't work in old OpenSSH) is to use the forcecommand option in sshd_config.
Yet another way is to use the command= option in the authorized_keys file.

Putting a passphrase on the private key doesn't work terribly well for an agent that logs in under program control. In those cases, it's best to dedicate a login account for the agent (that is, don't use your interactive-capable one) and then force it to do one and only one thing via the second or third method.

^{1. In this case you need to secure all shell startup files from the agent user. This can be tricky. The system or the shell may object if you try the obvious thing of making them owned by root. This is generally the more dangerous approach.}

DigitalRoss

Posted 2013-03-24T21:58:19.233

Reputation: 2 968

BTW, one reason #2 and #3 are easier to secure is this: scp is a sort of subcommand and it's blocked by forcecommand and command=. This prevents a compromised agent from just rewriting the security files. – DigitalRoss – 2013-03-24T23:05:53.303

You can configure sshd to require a password in addition to a public key (two factor authentication). It's best to ask this sort of question on ServerFault.com or SuperUser.com. – dave4420 – 2013-03-24T22:22:35.197

2Does this actually have anything to do with EC2? – phs – 2013-03-24T22:24:06.160

I would suggest a different title, like secure agent ssh login or something similar. – DigitalRoss – 2013-03-24T22:45:26.263