#!/bin/bash

#
# This script can be added to the authorized_keys2 file, in order
# to limit the command a user can run on the HMC. At the same time
# it provides logging capability via syslog.
# To deploy this script, put it in the authorized_keys2 file under
# a user's .ssh directory as followed:
#
# commmand="logssh ${SSH_ORIGINAL_COMMAND}" ssh-rsa some key value
#
# When this command is deployed, a user login with the identity matching
# the one in authorized_keys2 file will not be able to have an interactive
# ssh session, use scp or mkauthkeys command.
# When deploying this via mkauthkeys from a remote host, escape the " and $
# appropriately.
#
me=`whoami`
export PATH=/usr/hmcrbin/:/hmcrbin
REMOTE_HOST=`echo ${SSH_CLIENT} | cut -d' ' -f1`
/bin/logger -t hmc_ssh -p auth.info "$me login on `date` from ${REMOTE_HOST}"
if [ "$1" != "" ]; then
  /bin/logger -t hmc_ssh -p auth.info "$me runs $1 on `date` from ${REMOTE_HOST}"
else
  /bin/logger -t hmc_ssh -p auth.info "$me initiates ssh session on `date` from ${REMOTE_HOST}"
fi
if [ "$me" != "hscroot" ]; then
   if [ "$1" == "mkauthkeys" ]; then
      echo "No privilege to run mkauthkeys."
      exit 1
   fi
   if [ "$1" == "scp" ]; then
      echo "No privilege to run scp."
      exit 1
   fi
   if [ "$1" == "" ]; then
      echo "No privilege to login with ssh."
      exit 1
   fi
fi
set -r
$*
exit $?
