Mailinglist Archive: opensuse-security (49 mails)

< Previous Next >
Re: [opensuse-security] Restrict ssh command execution
  • From: Boyan Tabakov <blade.alslayer@xxxxxxxxx>
  • Date: Mon, 18 Dec 2006 11:04:58 +0200
  • Message-id: <200612181105.06259.blade.alslayer@xxxxxxxxx>
On 18.12.2006 01:27, Crispin Cowan wrote:
> Martti Laaksonen wrote:
> > You might want to look into using public keys for user authentication
> > and setting some options to a specific key(s) in
> > ~/.ssh/authorized_keys file.
> >
> > There's more info in sshd's man page (paragraph Authorized_keys file
> > format), but basically you can restrict a specific public key to
> > execute only a certain command by placing command="command_name"
> > option before the public key data in the authorized_keys file.
> Martti's suggestion and mine work very well together. The above enforces
> that a user ssh'ing into the machine can only run a single command, and
> my suggestion gives you mandatory policy control over what that command
> can do. Using the hardlink hack, you can make the command unique to a
> user, or generic to a role.

True! These techniques combined offer great flexibility that does not
sacrifice security. In my particular case, however, the command being
executed should not be subject to 'twisting' of its normal behavior. Also,
AppArmor is not around when you don't have SuSE...

Blade hails you...

One night I dreamt a white rose withering
a newborn drowning a lifetime loneliness
I dreamt all my future. Relived my past
And witnessed the beauty of the beast
< Previous Next >
Follow Ups