Hi guys
I have been using CentOS 5 on embedded systems for the past year and i am pretty happy with it. I came across a situation yesterday where i need to add a restricted ssh user.
The main idea is:
1) The user will be able to perform specific commands such as ,ping,iptables, tracert,ifconfig
2) The user WILL NO BE ABLE to navigate to root directory or to any other folder except his home directory.
Can someone please guide me on how to perform the above configuration? I am not asking for a step by step guide but just to know in which way i can configure a restricted ssh user and from there i can make some studying. For example i have read from a forum that you can add such a user using rssh.
Will i have to use rssh for such users or there are other ways?
Thanks in advance for your help.
Restricted ssh user
-
pschaff
- Retired Moderator
- Posts: 18276
- Joined: 2006/12/13 20:15:34
- Location: Tidewater, Virginia, North America
- Contact:
Restricted ssh user
Welcome to the CentOS fora. Please see the recommended reading for new users linked in my signature.
If you want the user to have only scp and/or sftp access then rssh may be appropriate. It can be installed from EPEL or [url=http://wiki.centos.org/AdditionalResources/Repositories/RPMForge]RPMforge repo[/url]:
[code]Name : rssh
Arch : x86_64
Version : 2.3.3
Release : 1.el5
Size : 43 k
Repo : epel
Summary : Restricted shell for use with OpenSSH, allowing only scp and/or
: sftp
URL : http://www.pizzashack.org/rssh/
License : BSD
Description:
: rssh is a restricted shell for use with OpenSSH, allowing only scp
: and/or sftp. For example, if you have a server which you only want
: to allow users to copy files off of via scp, without providing
: shell access, you can use rssh to do that. It is a alternative to
: scponly.
[/code]
For more information try a forum search for [url=https://www.centos.org/search.php?query=ssh+chroot&mid=30&action=showall&andor=AND]ssh chroot[/url] and/or a google on [url=https://www.google.com/search?q=ssh+chroot+jail+centos-5+OR+rhel5+OR+%22red+hat+enterprise+linux+5%22&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=firefox-a]ssh chroot jail centos-5 OR rhel5 OR "red hat enterprise linux 5"[/url] or similar.
If you want the user to have only scp and/or sftp access then rssh may be appropriate. It can be installed from EPEL or [url=http://wiki.centos.org/AdditionalResources/Repositories/RPMForge]RPMforge repo[/url]:
[code]Name : rssh
Arch : x86_64
Version : 2.3.3
Release : 1.el5
Size : 43 k
Repo : epel
Summary : Restricted shell for use with OpenSSH, allowing only scp and/or
: sftp
URL : http://www.pizzashack.org/rssh/
License : BSD
Description:
: rssh is a restricted shell for use with OpenSSH, allowing only scp
: and/or sftp. For example, if you have a server which you only want
: to allow users to copy files off of via scp, without providing
: shell access, you can use rssh to do that. It is a alternative to
: scponly.
[/code]
For more information try a forum search for [url=https://www.centos.org/search.php?query=ssh+chroot&mid=30&action=showall&andor=AND]ssh chroot[/url] and/or a google on [url=https://www.google.com/search?q=ssh+chroot+jail+centos-5+OR+rhel5+OR+%22red+hat+enterprise+linux+5%22&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=firefox-a]ssh chroot jail centos-5 OR rhel5 OR "red hat enterprise linux 5"[/url] or similar.
Re: Restricted ssh user
Hi again
I did research and installed a jail for a user. Indeed the jail method was impressive, at least for me because it was first time i used jail method. However i now run in a bigger problem and i am a bit frustrated because i dont really know how to move from here.
1) My problem is that how will i be able to restrict a command to be executed only with specific parameters. For instamce, if "ping" command is executed without the option -c ("ping -c") then the command shall not be executed.
Another example is the iptables command. What ever the input might be, if the command does not have the pramaters "-L -t nat -xvn" then the command shall not be executed.
2) The iptables command is a privilege command , how will this command be executed by a jailed user.
3) i created my jail using jailkit, command iptables gives me an error that cannot find any nat table (when executing by jail user)
Suggestions:
So far people suggested me to:
1) Create my own script to be run once the user is logged in (sshed)
2) run iptbales -L -t nat -xvn command on "cron" basics and save the results on a file where a custom command would be presenting the output.
I did research and installed a jail for a user. Indeed the jail method was impressive, at least for me because it was first time i used jail method. However i now run in a bigger problem and i am a bit frustrated because i dont really know how to move from here.
1) My problem is that how will i be able to restrict a command to be executed only with specific parameters. For instamce, if "ping" command is executed without the option -c ("ping -c") then the command shall not be executed.
Another example is the iptables command. What ever the input might be, if the command does not have the pramaters "-L -t nat -xvn" then the command shall not be executed.
2) The iptables command is a privilege command , how will this command be executed by a jailed user.
3) i created my jail using jailkit, command iptables gives me an error that cannot find any nat table (when executing by jail user)
Suggestions:
So far people suggested me to:
1) Create my own script to be run once the user is logged in (sshed)
2) run iptbales -L -t nat -xvn command on "cron" basics and save the results on a file where a custom command would be presenting the output.
Re: Restricted ssh user
Ok i decided to use a script in order to achieve all above but i now have a strange problem.
1) I add a user with the name "testuser"
2) I copy "myscript" to /root/ folder
3) I chmod 755 myscript
4) I created a file ".bash_login" on "/home/testuser" and added the following line:
[code]exec /bin/bash /root/myscript[/code]
When i login over ssh as user "testuser", the script isnt executed
Any idea why is this happening?
1) I add a user with the name "testuser"
2) I copy "myscript" to /root/ folder
3) I chmod 755 myscript
4) I created a file ".bash_login" on "/home/testuser" and added the following line:
[code]exec /bin/bash /root/myscript[/code]
When i login over ssh as user "testuser", the script isnt executed
Any idea why is this happening?
-
AlanBartlett
- Forum Moderator
- Posts: 9345
- Joined: 2007/10/22 11:30:09
- Location: ~/Earth/UK/England/Suffolk
- Contact:
Re: Restricted ssh user
[quote]
4) I created a file ".bash_login" on "/home/testuser" and added the following line:
[code]
exec /bin/bash /root/myscript
[/code]
[/quote]
There is your problem. Make that "exec" line the first line of "testuser"'s [b].bash_profile[/b] file and then try again.
4) I created a file ".bash_login" on "/home/testuser" and added the following line:
[code]
exec /bin/bash /root/myscript
[/code]
[/quote]
There is your problem. Make that "exec" line the first line of "testuser"'s [b].bash_profile[/b] file and then try again.
Re: Restricted ssh user
Thanks for the help. It work like charm however there is a "security issue" this time.
As you can observe from the thread, this script is going to be used as a shell in order to restrict a user and give him the option to execute only four commands with specific parameters.
Now, if i ssh on the remote machine with the command
[code]ssh -l testuser "bash --noprofile"[/code]
The script will not be executed and the testuser will gain a full bash shell.
What i did was to modify the /etc/passwd file and edited :
[code]
FROM
testuser:x:506:506::/home/testuser:/bin/bash
TO
testuser:x:506:506::/home/testuser:/path/to/myscript
[/code]
With this way even if the user ssh to the host with the parameter "--noprofile" the script will still be executed.
BUT...
What i want to ask is:
Is there any danger or other security risk for the above soltution? Meaning the fact that i changed testuser bash shell into my script on /etc/passwd ?
Thanks again for your important help
As you can observe from the thread, this script is going to be used as a shell in order to restrict a user and give him the option to execute only four commands with specific parameters.
Now, if i ssh on the remote machine with the command
[code]ssh -l testuser "bash --noprofile"[/code]
The script will not be executed and the testuser will gain a full bash shell.
What i did was to modify the /etc/passwd file and edited :
[code]
FROM
testuser:x:506:506::/home/testuser:/bin/bash
TO
testuser:x:506:506::/home/testuser:/path/to/myscript
[/code]
With this way even if the user ssh to the host with the parameter "--noprofile" the script will still be executed.
BUT...
What i want to ask is:
Is there any danger or other security risk for the above soltution? Meaning the fact that i changed testuser bash shell into my script on /etc/passwd ?
Thanks again for your important help
-
AlanBartlett
- Forum Moderator
- Posts: 9345
- Joined: 2007/10/22 11:30:09
- Location: ~/Earth/UK/England/Suffolk
- Contact:
Re: Restricted ssh user
I can not see any potential problem with your solution -- other than possible defects in your own script.
You will need to rigorously test all "corner-cases" to ensure that what you wish to be performed is the only achievable result.
You will need to rigorously test all "corner-cases" to ensure that what you wish to be performed is the only achievable result.
Re: Restricted ssh user
Thanks Alan
Will proceed as such
Will proceed as such
-
pschaff
- Retired Moderator
- Posts: 18276
- Joined: 2006/12/13 20:15:34
- Location: Tidewater, Virginia, North America
- Contact:
Re: Restricted ssh user
Please let us know how that works out. Current followers of the thread and future forum searchers will doubtless be interested in the outcome.