How to Configure SSH Forced Command Execution via ~/.ssh/config for Privilege Escalation


28 views

Many sysadmins face this workflow dilemma: we maintain strict security by disabling direct root login (PermitRootLogin no), yet need to frequently elevate privileges after initial authentication. The standard ssh -t hostname su - approach works but becomes tedious for daily operations.

Here are three technical approaches to embed privilege escalation directly in your SSH client configuration:

Option 1: Host-Specific Command Execution

Host myserver-root
    HostName actual.server.com
    User your_username
    IdentityFile ~/.ssh/id_ed25519
    RequestTTY force
    RemoteCommand sudo -i || su -

Option 2: ProxyCommand Implementation

Host myserver-root
    ProxyCommand ssh -W %h:%p myserver
    RequestTTY yes
    RemoteCommand su -

Option 3: Match Directive (SSH 7.3+)

Match host myserver exec "pgrep -f 'ssh myserver-root'"
    RequestTTY yes
    RemoteCommand su -
  • RequestTTY: Critical for interactive sessions (equivalent to -t flag)
  • RemoteCommand: Executes immediately after connection
  • Fallback Logic: Consider adding || sudo -i for sudo environments

While convenient, this approach has implications:

  • Command appears in process listing on both client and server
  • Consider using sudo with timestamp instead of su
  • Always verify the integrity of your SSH config file permissions (600)

For a production jump host setup:

Host prod-root
    HostName jumphost.prod.example.com
    User deploy
    IdentityFile ~/.ssh/prod_deploy_key
    RequestTTY yes
    RemoteCommand sudo -u root /bin/bash -l
  • Test with ssh -vvv myserver-root for verbosity
  • Ensure /etc/sudoers allows your user to escalate
  • Modern SSH versions (8.0+) may require PermitUserRC yes server-side

When managing multiple servers, we often need to switch to root using su - after SSH login. While ssh myserver -t su - works from command line, we want this behavior configurable in ~/.ssh/config for convenience.

SSH config supports the RemoteCommand option (introduced in OpenSSH 7.6+) which serves our purpose:

Host myserver-root
    HostName actual.server.com
    User yourusername
    Port 22
    IdentityFile ~/.ssh/id_rsa
    RequestTTY yes
    RemoteCommand su -

For versions before 7.6, we can use ProxyCommand trick:

Host myserver-root
    HostName actual.server.com
    User yourusername
    ProxyCommand ssh -q -t %h "su -"

While this approach is convenient, consider these security implications:

  • Never store root passwords in scripts
  • Use sudo when possible instead of full root access
  • Consider SSH certificates instead of password authentication

Verify your setup works properly:

ssh -v myserver-root

The -v flag helps debug any connection issues.

For managing multiple servers with similar requirements:

Host *-root
    User defaultuser
    RequestTTY yes
    RemoteCommand su -
    
Host webserver-root
    HostName web1.example.com
    
Host dbserver-root
    HostName db1.example.com