HPE Community
Operating System - Linux
1830224 Members
2026 Online
109999 Solutions
New Discussion

Command restriction - SSH

 
SOLVED
Go to solution
Marc-Aurele Brothier
Occasional Advisor

‎02-24-2004 07:24 PM

‎02-24-2004 07:24 PM

Command restriction - SSH

Hi!

I would like to set up some accounts on a linux server with restrictions to the number of commands that users will be able to execute.

I want some accounts to only access to their home or other directories only with SFTP to upload backup files, but I don't want them to use their login for other purpose on this machine. How can I achieve that?

And if I want to restrict the user to 5 commands for example?

Thank you
0 Kudos
Reply
3 REPLIES 3
Mark Grant
Honored Contributor

‎02-24-2004 07:35 PM

‎02-24-2004 07:35 PM

Re: Command restriction - SSH

Simple way is to create a directory into which you copy the commands you want the user to have. Then set the users PATH to only point into that directory. This obviously doesn't stop them changing their PATH (can you make PATH read only?).

You can getmore sophisticated by using things such as the restricted shell "rsh" which stops them changing directories and the like. FInally, you can consider compining the above with "chroot" with which you can make their home directory the "root" directory for them. There is no way of breaking out of that.
Never preceed any demonstration with anything more predictive than "watch this"
0 Kudos
Reply
Robert Binkhorst
Trusted Contributor

‎02-25-2004 01:03 AM

‎02-25-2004 01:03 AM

Solution

Re: Command restriction - SSH

Hi,

What I'd recommend is to set up a chrooted sftp server. The advantage of a chrooted ftp environment is that you can determine which commands can be run (as you create a separate environment you decide what files you copy). Since you only want the users to ftp to this machine it probably doesn't matter where their homedir is. For instance, you could create them in /opt/ftp/chroot/home/.

To restrict the user to 5 commands can be achieved by changing the amount of simultaneous logins. See your config file for this (I'm not sure sftp can achieve this, it seems pretty simple.) I recommend you use pure-ftp (http://www.pureftpd.org/), which supports SSL/TLS and does all of the above and is widespread.

A good start to set up sftp (from OpenSSH) can be found here:
http://mail.incredimail.com/howto/openssh/addons/sftp-chroot.howto.txt

Hope this helps,

Robert
linux: the choice of a GNU generation
Reply
Andrew Cowan
Honored Contributor

‎02-25-2004 09:53 PM

‎02-25-2004 09:53 PM

Re: Command restriction - SSH

You could also use SSH keypairs that have single commands attached to them, or Sudo so that they would none interactive access to these accounts.

I know this is more complicated than a complete chroot jail, but once setup it can be easier to administer.

If the users are non-technical you could wrap your commands in a simple shell-script/menu that is executed as soon as they login.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.