suse-list@bout-tyme.net 3/17/2005 6:11:12 PM >>> On Thu, 2005-03-17 at 16:27 -0500, David Truchan-contr wrote: Carlos/Jon,
Thanks for your responses.
Both ideas are great. Unfortunately, rbash is too restrictive for my situation. forced-commands using keys is a neat approach, its a bit of a daunting task creating private passphrase keys for 800 users that connect via windows ssh clients and populating their authorized_keys file on the server.
I did a google search last night, and ran across a thread about just changing the users login shell to be that of my menu program.
I tested this today and seems to work well. Any forced command
Thanks for the feedback. traping ^c doesn't prevent non-interactive logins from still issuing other commands. Something like ssh host "cat /etc/passwd" is still possible. passed
to ssh just results in the menu program being displayed. Same with scp. I have sftp disabled.
At the place I worked at the main system ran on SCO and users were forced to use a menu that they could not break out of. If your turn off ^c and add a line in their .profile/,bashrc to call your menu with the next line being "logout" as soon as they exit the menu they are logged off the system. This way you can adjust the menu to your wishes. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998 * Only reply to the list please* "The day Microsoft makes something that doesn't suck is probably the day they start making vacuum cleaners." -Ernst Jan Plugge -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Friday 18 March 2005 00:53, David Truchan-contr wrote:
Thanks for the feedback. traping ^c doesn't prevent non-interactive logins from still issuing other commands. Something like ssh host "cat /etc/passwd" is still possible.
There is quite some usefull info in bash's manual page. You can read all about this in the section "Invocation". It might take some time to understand the possibilities and to experiment a bit. Here is something I tried out: Create a file /etc/bash.bashrc.local with the following content: if shopt -q login_shell; then echo "interactive" else echo "non-interactive" echo "This is not allowed. Terminating..." exit fi An interactive shell, invoked with e.g. 'ssh user@host', is allowed. A non-interactive shell, invoked with e.g. 'ssh user@host ls', is not allowed. To only use this for a particular group of users, you would have to create a new group, make those users a member of that group, and put above code between a check for membership. Cheers, Leen
On Friday 18 March 2005 01:38, Leendert Meyer wrote:
To only use this for a particular group of users, you would have to create a new group, make those users a member of that group, and put above code between a check for membership.
Suppose that group is called 'restricted_users', you could do:
if id -G -n | grep -q '\
participants (2)
-
David Truchan-contr
-
Leendert Meyer