$ shellfirm
Context-Aware Protection

SSH & Root Detection

How shellfirm detects SSH sessions and root users to increase protection

Running commands on a remote server or as root carries inherently more risk than working locally on a feature branch. shellfirm detects both conditions automatically and escalates challenge difficulty accordingly.

SSH session detection

shellfirm checks for the presence of either of these environment variables:

  • SSH_CONNECTION -- set by the SSH server with connection details (client IP, client port, server IP, server port)
  • SSH_TTY -- set by the SSH server to the path of the allocated pseudo-terminal

If either variable is present, shellfirm marks the session as an SSH session and sets the risk level to Elevated.

SSH Context Label
ssh=true

What Elevated risk means

With the default escalation configuration, an Elevated risk level upgrades the challenge type to at least Enter. If your configured challenge is already Enter or Yes, it stays at that level (escalation never lowers the challenge).

Configured challengeAfter SSH escalation
MathEnter
EnterEnter
YesYes

Root user detection

shellfirm checks whether the EUID environment variable equals 0. When it does, the session is marked as running as root and the risk level is set to Critical.

Root Context Label
root=true

What Critical risk means

With the default escalation configuration, a Critical risk level upgrades the challenge type to Yes. This requires you to type "yes" to confirm every intercepted command.

Configured challengeAfter root escalation
MathYes
EnterYes
YesYes

Combined SSH + root

When you SSH into a server and then sudo su to root, both signals are detected. Since root triggers Critical and SSH triggers Elevated, the final risk level is Critical (the highest of the two).

Combined Context Labels
ssh=true
root=true

Configuration

SSH and root detection is automatic and has no configuration options to disable. The escalation behavior can be customized:

# In ~/.shellfirm/settings.yaml
context:
  escalation:
    elevated: Enter    # SSH sessions: Math → Enter
    critical: Yes      # Root user: any → Yes

You can change the challenge type that each risk level maps to. For example, to make SSH sessions require Yes instead of Enter:

context:
  escalation:
    elevated: Yes
    critical: Yes

Practical examples

Deploying on a remote server over SSH

SSH Session Escalation
$ ssh deploy@prod-web-01
# shellfirm detects SSH session -- Elevated risk
$ rm -rf /var/log/app/old-*
============ RISKY COMMAND DETECTED ============
Severity: HIGH
Context: ssh=true
Description: Recursively deletes files and directories.
Alternative: rm -ri
(Prompts before each file removal so you can confirm individually.)
Challenge ESCALATED: Math -> Enter
? Type Enter to continue Esc to cancel ›

Running as root

Root User Escalation
$ sudo su -
# shellfirm detects root -- Critical risk
$ docker system prune -a
============ RISKY COMMAND DETECTED ============
Severity: MEDIUM
Context: root=true
Description: Removes all unused Docker data including stopped containers and images.
Alternative: docker system prune
(Removes only dangling resources without the -a flag, keeping tagged images.)
Challenge ESCALATED: Math -> Yes
? Type yes to continue Esc to cancel ›

How Context-Aware Protection Works

shellfirm detects your runtime environment and adjusts protection accordingly

Git Branch Protection

How shellfirm applies extra protection on main, master, and production branches

On this page

SSH session detectionWhat Elevated risk meansRoot user detectionWhat Critical risk meansCombined SSH + rootConfigurationPractical examplesDeploying on a remote server over SSHRunning as root