[kwlug-disc] Setting shell to a script

Mikalai Birukou mb at 3nsoft.com
Wed Sep 4 22:47:59 EDT 2019 

Thank you, Tim. This is the way for automated single function system 
users. I personally never thought that authorized_keys is anything more 
than just collection of public keys.

On 2019-09-04 10:18 p.m., Tim Laurence wrote:
> By editing you authorized_keys file you can also force ssh to execute 
> a specific command on login. This will mean whenever a certain key is 
> used it will automatically launch a specified command such as the 
> remote end of a rsync client.
>
> https://manpages.debian.org/buster/openssh-server/authorized_keys.5.en.html
>
> Look for the 'command=' on the man page above to find the option that 
> does this.
>
> --Tim
>
> On Wed, Sep 4, 2019 at 5:55 PM Jason Eckert <jason.eckert at gmail.com 
> <mailto:jason.eckert at gmail.com>> wrote:
>
>     Have you tried using /sbin/nologin instead of /bin/false?
>
>     On Wed, Sep 4, 2019 at 5:37 PM Paul Nijjar via kwlug-disc
>     <kwlug-disc at kwlug.org <mailto:kwlug-disc at kwlug.org>> wrote:
>
>         My websearching skills are failing me on this, so I will ask
>         you smart
>         people.
>
>         I have an account that is kind of a service account (humans
>         will not
>         log into that account) but will be used for rsync via ssh. For
>         security I would prefer that this account be locked down.
>
>         I had set the shell of the user to /bin/false, but then ssh
>         does not
>         work.
>
>         I am using a whitelist script I documented here:
>         http://pnijjar.freeshell.org/2015/lock-rsync/
>
>         Now I am wondering if there is more I can do to lock down the
>         account.
>         Setting the shell to /bin/rbash is not helpful unless I lock
>         down a
>         bunch of other things. There is an rssh shell that I have read
>         about,
>         but I have not tried it yet.
>
>         One thing I am considering is actually setting the shell for
>         the user
>         to my whitelist script, which is a python executable. Is this a
>         promising idea or a terrible one?
>
>         - Paul
>
>         -- 
>         Get tech event listings: https://off-topic.kwlug.org/watcamp
>         Blog: http://pnijjar.freeshell.org
>
>         _______________________________________________
>         kwlug-disc mailing list
>         kwlug-disc at kwlug.org <mailto:kwlug-disc at kwlug.org>
>         http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
>     _______________________________________________
>     kwlug-disc mailing list
>     kwlug-disc at kwlug.org <mailto:kwlug-disc at kwlug.org>
>     http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
-- 
Mikalai Birukou
CEO | 3NSoft Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20190904/f6d55777/attachment.htm>

More information about the kwlug-disc mailing list