#!/usr/bin/perl
# 
# Checks to see if remote host is authorized to run ssh command
# 
# Based off of original script by Brian Hatch which can be found here:
# http://www.hackinglinuxexposed.com/tools/authprogs/src/
#
# Config file is located in ~/.ssh/authssh.conf
# 
# It looks like this:
#
# I 192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.4
#  /sysutils/*
#  /bin/ls
# I 192.168.1.2
#  /usr/local/bin/blargh
#
# Joe Topjian, joe@terrarum.net
#

use strict;
use POSIX qw(strftime);

my $timestamp = strftime "%Y/%m/%d %H:%M:%S", localtime;
my $LOGFILE = "$ENV{HOME}/.ssh/authssh.log";
open (LOG, ">>$LOGFILE") or die "Cant open $LOGFILE\n";
my $CONFIGFILE = "$ENV{HOME}/.ssh/authssh.conf";
open (CONFIG, "$CONFIGFILE") or die "Cant open $CONFIGFILE\n";
my $COMMAND = $ENV{SSH_ORIGINAL_COMMAND};

# This might work on other systems, but it does not with bash/SuSE
my $CLIENT_IP = $ENV{SSH_CLIENT} =~ /^(\S+)/;

# So to fix, we do this
my ($tip, $sport, $dport) = split(/\s+/, $ENV{SSH_CLIENT});
my @blah = split(':', $tip);
$CLIENT_IP = $blah[3];

# Please take a look at what your SSH_CLIENT env variable is before running.

# Loop through the config
my $valid = 0;
my $unauth = 1;
my @allowedcmds;
while (<CONFIG>) {
	chomp;
	if (/^I/) {
		# ip line
		# turn valid off since its either first time around or
		# a new set of instructions
		$valid = 0;
	foreach my $ip (split(/\s+/)) {
			$valid = 1 if ($CLIENT_IP eq $ip);
			$unauth = 0;
		}
	} elsif ($valid) {
		# command line
		push @allowedcmds;
	}
}

if ($unauth) {
	print LOG "\[$timestamp\] Unauthorized use of ssh from $CLIENT_IP\n";
} else {
	my $cok = 0;
	foreach my $i (@allowedcmds) {
		if ($COMMAND =~ $i) {
			$cok = 1;
			system $COMMAND;
		}
	}
	if (!$cok) {
		print "You are unauthorized to run $COMMAND\n";
		print LOG "\[$timestamp\] $CLIENT_IP is not allowed to run $COMMAND\n";
	}
}

close(LOG);