System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Need to restrict user to do ssh to another host

 
UX-ADM
Occasional Contributor

Need to restrict user to do ssh to another host

Hi Guys,

 

I need to restrict one of local user on HPUX 11iv3 system to do ssh to any other host. It means user should not be allowed to do ssh to any IP or specific IP's

Looking for any option or method available to achieve it.

 

Thanks in advance.

 

Unixadm.

1 REPLY
Matti_Kurkela
Honored Contributor

Re: Need to restrict user to do ssh to another host

To successfully enforce such a restriction, you may have to list the things the user *is* allowed to do on that system, and set up a restricted shell to permit only those activities.

 

Otherwise, the user may work around any restrictions you place on the ssh binary by bringing his/her own ssh binary to the system. As long as the user has access to an unrestricted shell and the default HP-UX tools, the user might prepare an uuencoded version of the SSH binary at some other location, and then run "uudecode > my_very_own_ssh" on the system, then copy & paste the contents of the uuencoded file to the session. Since the user is the creator & owner of the file, s/he can easily give it an execute permission and start using it.

MK