topic Re: Command restriction - SSH in Operating System - Linux

Command restriction - SSH

Marc-Aurele Brothier — Wed, 25 Feb 2004 03:24:15 GMT

Hi!

I would like to set up some accounts on a linux server with restrictions to the number of commands that users will be able to execute.

I want some accounts to only access to their home or other directories only with SFTP to upload backup files, but I don't want them to use their login for other purpose on this machine. How can I achieve that?

And if I want to restrict the user to 5 commands for example?

Thank you

Re: Command restriction - SSH

Mark Grant — Wed, 25 Feb 2004 03:35:53 GMT

Simple way is to create a directory into which you copy the commands you want the user to have. Then set the users PATH to only point into that directory. This obviously doesn't stop them changing their PATH (can you make PATH read only?).

You can getmore sophisticated by using things such as the restricted shell "rsh" which stops them changing directories and the like. FInally, you can consider compining the above with "chroot" with which you can make their home directory the "root" directory for them. There is no way of breaking out of that.

Re: Command restriction - SSH

Robert Binkhorst — Wed, 25 Feb 2004 09:03:55 GMT

Hi,

What I'd recommend is to set up a chrooted sftp server. The advantage of a chrooted ftp environment is that you can determine which commands can be run (as you create a separate environment you decide what files you copy). Since you only want the users to ftp to this machine it probably doesn't matter where their homedir is. For instance, you could create them in /opt/ftp/chroot/home/.

To restrict the user to 5 commands can be achieved by changing the amount of simultaneous logins. See your config file for this (I'm not sure sftp can achieve this, it seems pretty simple.) I recommend you use pure-ftp (http://www.pureftpd.org/), which supports SSL/TLS and does all of the above and is widespread.

A good start to set up sftp (from OpenSSH) can be found here:
http://mail.incredimail.com/howto/openssh/addons/sftp-chroot.howto.txt

Hope this helps,

Robert

Re: Command restriction - SSH

Andrew Cowan — Thu, 26 Feb 2004 05:53:59 GMT

You could also use SSH keypairs that have single commands attached to them, or Sudo so that they would none interactive access to these accounts.

I know this is more complicated than a complete chroot jail, but once setup it can be easier to administer.

If the users are non-technical you could wrap your commands in a simple shell-script/menu that is executed as soon as they login.