It’s quite simple to limit a ssh session to use specific commands only. This solution may not be bullet prove but it’s suffizient in most cases.
My first attempt was to use rssh but sadly this project is no longer maintained. I ran into a bug which forced me to look for a different solution.
The bug: rsync commands will fail with “illegal insecure e option”.
Here is what I did:
#!/bin/bash # This script allows restricted shell access # Author: d.nelle@DNportal.de # Restrict direct shell login if [ $# -ne 2 ] || [ "$1" != "-c" ] then echo -e "Direct shell login not allowed.\n" exit 1 fi # Allow remote commands to be executed case "$2" in "rsync"* | "chown"* | "chmod"* ) # Execute command /bin/bash -c "$2" ;; * ) echo -e "This command is not allowed.\n" exit 1 ;; esac
To activate this restricted shell for a user, simply modify /etc/passwd and configure this script as the default shell.
$ cat /etc/passwd [...] foo:x:5000:5000::/home/foo:/var/restricted_bash.sh
$ ssh foo@someserver rsync --version rsync version 3.0.6 protocol version 30 Copyright (C) 1996-2009 by Andrew Tridgell, Wayne Davison, and others. Web site: http://rsync.samba.org/ Capabilities: 64-bit files, 64-bit inums, 64-bit timestamps, 64-bit long ints, socketpairs, hardlinks, symlinks, IPv6, batchfiles, inplace, append, ACLs, xattrs, iconv, no symtimes rsync comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the GNU General Public Licence for details.
One more test
$ rsync --verbose --archive --whole-file --perms --times --stats foo@someserver:.ssh/* . receiving file list ... done Number of files: 1 Number of files transferred: 0 Total file size: 752 bytes Total transferred file size: 0 bytes Literal data: 0 bytes Matched data: 0 bytes File list size: 50 File list generation time: 0.001 seconds File list transfer time: 0.000 seconds Total bytes sent: 20 Total bytes received: 70 sent 20 bytes received 70 bytes 180.00 bytes/sec total size is 752 speedup is 8.36
Feel free to comment or send me hints to improve this script. Thanks!