[kwlug-disc] Setting shell to a script
Chris Irwin
chris at chrisirwin.ca
Thu Sep 5 01:16:51 EDT 2019
On Wed, Sep 04, 2019 at 10:18:28PM -0400, Tim Laurence wrote:
>By editing you authorized_keys file you can also force ssh to execute a
>specific command on login. This will mean whenever a certain key is used it
>will automatically launch a specified command such as the remote end of a
>rsync client.
>
>https://manpages.debian.org/buster/openssh-server/authorized_keys.5.en.html
>
>Look for the 'command=' on the man page above to find the option that does
>this.
We're doing something similar via ForceCommand in /etc/ssh/sshd_config
(after matching a group).
Users who are members of the group can log into our server (controlled
via pam/sssd) but ForceCommand sticks them in a whitelist script
(similar in spirit to the one Paul linked to) which does some checks
against the SSH_ORIGINAL_COMMAND, and runs it's own command based on
what it thinks was being asked for (it doesn't actually trust any part
of the user-provided SSH_ORIGINAL_COMMAND).
This allows us to restrict new users automatically, so helpdesk could
add a user without us needing to configure them.
Additionally, I believe the authorized_keys method only works for
restricting logins with a specific key (So you could restrict Key_A to
rsync, but Key_B can be unrestricted). This is not effective for users
who are not logging in with ssh keys (Passwords, or Kerberos in our
case).
--
Chris Irwin
email: chris at chrisirwin.ca
xmpp: chris at chrisirwin.ca
web: https://chrisirwin.ca
More information about the kwlug-disc
mailing list