{"id":19634102,"url":"https://github.com/raforg/sshdo","last_synced_at":"2025-10-09T13:02:03.446Z","repository":{"id":149946606,"uuid":"182336063","full_name":"raforg/sshdo","owner":"raforg","description":"controls which commands may be executed via incoming ssh","archived":false,"fork":false,"pushed_at":"2025-07-27T14:57:38.000Z","size":272,"stargazers_count":41,"open_issues_count":0,"forks_count":4,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-07-27T16:47:04.122Z","etag":null,"topics":["bsd","cli","debian","freebsd","linux","macos","macosx","netbsd","openbsd","posix","redhat","security","ssh","svr4","ubuntu","unix"],"latest_commit_sha":null,"homepage":"http://raf.org/sshdo/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/raforg.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG","contributing":null,"funding":null,"license":"COPYING","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2019-04-19T23:14:42.000Z","updated_at":"2025-07-27T14:57:42.000Z","dependencies_parsed_at":null,"dependency_job_id":"4c659e3b-1665-4001-849f-acc6f5c957c0","html_url":"https://github.com/raforg/sshdo","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/raforg/sshdo","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/raforg%2Fsshdo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/raforg%2Fsshdo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/raforg%2Fsshdo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/raforg%2Fsshdo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/raforg","download_url":"https://codeload.github.com/raforg/sshdo/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/raforg%2Fsshdo/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279001424,"owners_count":26083079,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-09T02:00:07.460Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bsd","cli","debian","freebsd","linux","macos","macosx","netbsd","openbsd","posix","redhat","security","ssh","svr4","ubuntu","unix"],"created_at":"2024-11-11T12:19:34.276Z","updated_at":"2025-10-09T13:02:03.406Z","avatar_url":"https://github.com/raforg.png","language":"Python","readme":"# README\n\n*sshdo* - controls which commands may be executed via incoming ssh\n\n# DESCRIPTION\n\n*sshdo* provides an easily configurable way of controlling which commands\nmay be executed via incoming *ssh* connections.\n\nAn *ssh* public key in a `~/.ssh/authorized_keys` file can have a\n`command=\"\"` option which forces a particular command to be executed when\nthe key is used to authenticate an *ssh* connection. This is a security\ncontrol that mitigates against private key compromise.\n\nThis is great when you only need to execute a single command. But if you\nneed to perform multiple tasks, you would normally need to create and\ninstall a separate key pair for each command, or just not bother making use\nof forced commands and allow the key to be used to execute any command.\n\nInstead, you can make *sshdo* act as the forced command, and when an *ssh*\nconnection tries to execute a command, *sshdo* will consult the\nconfiguration files, `/etc/sshdoers` and `/etc/sshdoers.d/*`, to decide\nwhether or not the user and key are allowed to execute the command. The\nrequested command is only executed if it is allowed by the configuration.\n\nThis makes it possible to use a single authorized key for any number of\ncommands and still prevent its use for any other purpose.\n\nYou will need to identify which commands need to be allowed by each user and\nauthorized key. To make this easy, *sshdo* can be put into *training* mode\nwhere it will allow (and log) the execution of all commands.\n\nAfter some time, *sshdo* can then *learn* from the logs and create the\nconfiguration necessary to allow the commands that were encountered during\ntraining mode.\n\nIt can also *unlearn* occasionally and create a new configuration that will\nno longer allow commands that no longer appear to be in use. This can help\nto maintain strict least privilege.\n\n# FROM\n\n    URL: https://raf.org/sshdo\n    GIT: https://github.com/raforg/sshdo\n    GIT: https://codeberg.org/raforg/sshdo\n    Date: 20230619\n    Author: raf \u003craf@raf.org\u003e\n\n","funding_links":[],"categories":["Python"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fraforg%2Fsshdo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fraforg%2Fsshdo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fraforg%2Fsshdo/lists"}