Remote command execution from one host to another is nothing new in more complex infrastructure. It is usually going to happen at low user level privilege and it's also password less ssh communication based on ssh keys. But what happens when ssh keys leaked or this account was compromised, now it gives us ability to escalate privileges on remote hosts. One way to prevent from happening this scenario is to allow execute only specific commands by entering them in authorized_keys file by command statement. Another way is to use PKI and signed all scripts (the same way as in MS Powershell). How it can be done is mentioned in:
you can download bash wrapper command from
and put them into command statement in authorized_keys just like that:
command="/usr/local/bin/sigsh.sh -p /bin/bash -c /usr/local/etc/cert.tmp"
Now you can post command to execute on remote system by:
ssh -tt witalis@<host> < /home/witalis/test.sh_signed
it will be interpreted as bash commands.
So now I could review all commands that should be executed on remote site by signing them, each modification won't be executed.