Restrict ssh sessions

locker1.jpgIt’s quite simple to limit a ssh session to use specific commands only. This solution may not be bullet prove but it’s suffizient in most cases.

My first attempt was to use rssh but sadly this project is no longer maintained. I ran into a bug which forced me to look for a different solution.

The bug: rsync commands will fail with “illegal insecure e option”.

Here is what I did:

#!/bin/bash
# This script allows restricted shell access
# Author: d.nelle@DNportal.de

# Restrict direct shell login
if [ $# -ne 2 ] || [ "$1" != "-c" ]
then
  echo -e "Direct shell login not allowed.\n"
  exit 1
fi

# Allow remote commands to be executed
case "$2" in
  "rsync"* | "chown"* | "chmod"* )
    # Execute command
    /bin/bash -c "$2"
    ;;
  * )
    echo -e "This command is not allowed.\n"
    exit 1
    ;;
esac

Installation

To activate this restricted shell for a user, simply modify /etc/passwd and configure this script as the default shell.

$ cat /etc/passwd
[...]
foo:x:5000:5000::/home/foo:/var/restricted_bash.sh

Test

$ ssh foo@someserver rsync --version
rsync  version 3.0.6  protocol version 30
Copyright (C) 1996-2009 by Andrew Tridgell, Wayne Davison, and others.
Web site: http://rsync.samba.org/
Capabilities:
    64-bit files, 64-bit inums, 64-bit timestamps, 64-bit long ints,
    socketpairs, hardlinks, symlinks, IPv6, batchfiles, inplace,
    append, ACLs, xattrs, iconv, no symtimes
rsync comes with ABSOLUTELY NO WARRANTY.  This is free software, and you
are welcome to redistribute it under certain conditions.  See the GNU
General Public Licence for details.

One more test

$ rsync --verbose --archive --whole-file --perms --times --stats foo@someserver:.ssh/* .
receiving file list ... done
Number of files: 1
Number of files transferred: 0
Total file size: 752 bytes
Total transferred file size: 0 bytes
Literal data: 0 bytes
Matched data: 0 bytes
File list size: 50
File list generation time: 0.001 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 20
Total bytes received: 70
sent 20 bytes  received 70 bytes  180.00 bytes/sec
total size is 752  speedup is 8.36

Feel free to comment or send me hints to improve this script. Thanks!

That’s IT

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: