Mailinglist Archive: opensuse-security (49 mails)

< Previous Next >
Re: [opensuse-security] Restrict ssh command execution
  • From: Crispin Cowan <crispin@xxxxxxxxxx>
  • Date: Sun, 17 Dec 2006 15:27:17 -0800
  • Message-id: <4585D255.2060309@xxxxxxxxxx>
Martti Laaksonen wrote:
> You might want to look into using public keys for user authentication
> and setting some options to a specific key(s) in
> ~/.ssh/authorized_keys file.
>
> There's more info in sshd's man page (paragraph Authorized_keys file
> format), but basically you can restrict a specific public key to
> execute only a certain command by placing command="command_name"
> option before the public key data in the authorized_keys file.
Martti's suggestion and mine work very well together. The above enforces
that a user ssh'ing into the machine can only run a single command, and
my suggestion gives you mandatory policy control over what that command
can do. Using the hardlink hack, you can make the command unique to a
user, or generic to a role.

Crispin

--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering, Novell http://novell.com
Hacking is exploiting the gap between "intent" and "implementation"

---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups