Restricted ssh user

General support questions including new installations

Restricted ssh user

Postby tripialos » 2012/04/03 11:39:54

Hi guys

I have been using CentOS 5 on embedded systems for the past year and i am pretty happy with it. I came across a situation yesterday where i need to add a restricted ssh user.

The main idea is:

1) The user will be able to perform specific commands such as ,ping,iptables, tracert,ifconfig
2) The user WILL NO BE ABLE to navigate to root directory or to any other folder except his home directory.

Can someone please guide me on how to perform the above configuration? I am not asking for a step by step guide but just to know in which way i can configure a restricted ssh user and from there i can make some studying. For example i have read from a forum that you can add such a user using rssh.

Will i have to use rssh for such users or there are other ways?

Thanks in advance for your help.
tripialos
 
Posts: 28
Joined: 2012/04/03 11:06:46

Restricted ssh user

Postby pschaff » 2012/04/03 17:50:51

Welcome to the CentOS fora. Please see the recommended reading for new users linked in my signature.

If you want the user to have only scp and/or sftp access then rssh may be appropriate. It can be installed from EPEL or RPMforge repo:

Code: Select all
Name       : rssh
Arch       : x86_64
Version    : 2.3.3
Release    : 1.el5
Size       : 43 k
Repo       : epel
Summary    : Restricted shell for use with OpenSSH, allowing only scp and/or
           : sftp
URL        : http://www.pizzashack.org/rssh/
License    : BSD
Description:
           : rssh is a restricted shell for use with OpenSSH, allowing only scp
           : and/or sftp. For example, if you have a server which you only want
           : to allow users to copy files off of via scp, without providing
           : shell access, you can use rssh to do that. It is a alternative to
           : scponly.


For more information try a forum search for ssh chroot and/or a google on ssh chroot jail centos-5 OR rhel5 OR "red hat enterprise linux 5" or similar.
pschaff
Retired Moderator
 
Posts: 18277
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America

Re: Restricted ssh user

Postby tripialos » 2012/04/12 07:09:14

Hi again

I did research and installed a jail for a user. Indeed the jail method was impressive, at least for me because it was first time i used jail method. However i now run in a bigger problem and i am a bit frustrated because i dont really know how to move from here.

1) My problem is that how will i be able to restrict a command to be executed only with specific parameters. For instamce, if "ping" command is executed without the option -c ("ping -c") then the command shall not be executed.

Another example is the iptables command. What ever the input might be, if the command does not have the pramaters "-L -t nat -xvn" then the command shall not be executed.

2) The iptables command is a privilege command , how will this command be executed by a jailed user.

3) i created my jail using jailkit, command iptables gives me an error that cannot find any nat table (when executing by jail user)

Suggestions:

So far people suggested me to:

1) Create my own script to be run once the user is logged in (sshed)
2) run iptbales -L -t nat -xvn command on "cron" basics and save the results on a file where a custom command would be presenting the output.
tripialos
 
Posts: 28
Joined: 2012/04/03 11:06:46

Re: Restricted ssh user

Postby tripialos » 2012/04/30 10:39:05

Ok i decided to use a script in order to achieve all above but i now have a strange problem.

1) I add a user with the name "testuser"
2) I copy "myscript" to /root/ folder
3) I chmod 755 myscript
4) I created a file ".bash_login" on "/home/testuser" and added the following line:

Code: Select all
exec /bin/bash  /root/myscript



When i login over ssh as user "testuser", the script isnt executed



Any idea why is this happening?
tripialos
 
Posts: 28
Joined: 2012/04/03 11:06:46

Re: Restricted ssh user

Postby AlanBartlett » 2012/04/30 16:11:37

4) I created a file ".bash_login" on "/home/testuser" and added the following line:

Code: Select all
exec /bin/bash  /root/myscript


There is your problem. Make that "exec" line the first line of "testuser"'s .bash_profile file and then try again.
User avatar
AlanBartlett
Forum Moderator
 
Posts: 8975
Joined: 2007/10/22 11:30:09
Location: ~/Earth/UK/England/Suffolk

Re: Restricted ssh user

Postby tripialos » 2012/05/02 06:56:50

Thanks for the help. It work like charm however there is a "security issue" this time.

As you can observe from the thread, this script is going to be used as a shell in order to restrict a user and give him the option to execute only four commands with specific parameters.

Now, if i ssh on the remote machine with the command

Code: Select all
ssh -l testuser "bash --noprofile"

The script will not be executed and the testuser will gain a full bash shell.

What i did was to modify the /etc/passwd file and edited :

Code: Select all
FROM
testuser:x:506:506::/home/testuser:/bin/bash

TO
testuser:x:506:506::/home/testuser:/path/to/myscript

With this way even if the user ssh to the host with the parameter "--noprofile" the script will still be executed.

BUT...

What i want to ask is:

Is there any danger or other security risk for the above soltution? Meaning the fact that i changed testuser bash shell into my script on /etc/passwd ?

Thanks again for your important help
tripialos
 
Posts: 28
Joined: 2012/04/03 11:06:46

Re: Restricted ssh user

Postby AlanBartlett » 2012/05/03 01:29:40

I can not see any potential problem with your solution -- other than possible defects in your own script.

You will need to rigorously test all "corner-cases" to ensure that what you wish to be performed is the only achievable result.
User avatar
AlanBartlett
Forum Moderator
 
Posts: 8975
Joined: 2007/10/22 11:30:09
Location: ~/Earth/UK/England/Suffolk

Re: Restricted ssh user

Postby tripialos » 2012/05/03 08:48:16

Thanks Alan

Will proceed as such
tripialos
 
Posts: 28
Joined: 2012/04/03 11:06:46

Re: Restricted ssh user

Postby pschaff » 2012/05/03 14:19:29

Please let us know how that works out. Current followers of the thread and future forum searchers will doubtless be interested in the outcome.
pschaff
Retired Moderator
 
Posts: 18277
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America


Return to CentOS 5 - General Support

Who is online

Users browsing this forum: No registered users and 4 guests