Boyan Tabakov wrote:
Hi, Is it possible to restrict certain users to executing only one specific command on the server with ssh? No interactive login should be allowed and no other commands should be accepted. If possible - how? Didn't see any options in sshd_config that looked promising... One think that came to mind is using the shell field in the /etc/passwd file (setting it to some custom script). Any other ideas?
You could do that, but the security is poor: you are depending on the security of the application that you give the user. For instance, if you give the user vi, then the user can just "shell out" with ":!bash" That confined shell technique that I posted on December 10 <http://lists.opensuse.org/opensuse-security/2006-12/msg00004.html> also works here. My old post described how to confine a user's shell, so that they can only execute some commands. To use this technique to allow them only a single command, you would instead use a hardlink pointing from a unique name for your command (say, /usr/bin/restrictedgrep -> /usr/bin/grep ) and then use the rest of the technique that I outlined to build your profile for /usr/bin/restrictedgrep. Under this scheme, if the user tries to shell out, or in fact access any file you did not give them access to, AppArmor will block it. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Hacking is exploiting the gap between "intent" and "implementation" --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org