HPE Community
Operating System - HP-UX
1833995 Members
3773 Online
110063 Solutions
New Discussion

Prevent remote logins to a non-root account with SSH

 
Paul Kapelanski
Occasional Contributor

‎03-08-2007 09:43 AM

‎03-08-2007 09:43 AM

Prevent remote logins to a non-root account with SSH

I know I can do this via the DenyUsers directive but the account also needs to do remote command execution. Any ideas? Is there a better way?

Thanks

Paul
0 Kudos
Reply
2 REPLIES 2
TwoProc
Honored Contributor

‎03-08-2007 10:11 AM

‎03-08-2007 10:11 AM

Re: Prevent remote logins to a non-root account with SSH

Well,

I don't know for sure - but I just ran across this document for ssh, and it may help. It allows you to set explicit commands to be run for a user - providing the proper ssh key exists. For example, You could have a key for an "uptime" command, another key for a "ping" command, etc (bad examples, but hey, it' an example). So, I think that you might be able to come up with something that should work for you by maybe creating a user with no shell - but maybe has these keyed discrete commands that can do things. I've not tried this for a user with no shell, but other than that, I think it might get you what you want.

http://www.puschitz.com/SecuringLinux.shtml#CopyingFilesUsingSshWithoutProvidingLoginPrompts
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Reply
Haralambos
Advisor

‎03-09-2007 02:58 PM

‎03-09-2007 02:58 PM

Re: Prevent remote logins to a non-root account with SSH

So, in regards to the second part of your request, that is to allow a certain command to be executed, you can do this using public key authentication.

userA on clientA owns a public/private key pair. On the serverA copy userA's public key in the userB_SSHserver's authorized_keys file. This file will of course be located on the ssh server site under $HOME/.ssh/authorized_keys (that is the userB_SSHserver's home dir).

In this file you will append userA's public key (one line) just like as follows:

command="",from="[ ........key

if in the above line you omit the command, the from, etc then userA will be able to connect to userB_SSHserver's home account having full shell access.

Now, as far as your first request, it might be that in the sshd_config you can use the Match directive, available on version 4.4.

Use something this at the end of the file:
Match userA
ForceCommand
It might be that if this works you do not need to use the public key auth which I described earlier. I have never tried this my self, but it might be that using the this method shell access is denied al together.

haralambos
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.