I have a feeling that might not be very robust if you're allowing sftp
or scp to anywhere a user normally has access to - a user could then
download their own authorized_keys file, edit it to give themselves
shell access, and then upload it.

Another option might be to use the Match option in OpenSSH 4.4.  I
haven't had a chance to play around with 4.4 yet, so please experiment
with this.  But, something like

Match User restricted-user
   ForceCommand /usr/libexec/sftp-server

The advantage here is, you do this once to /etc/sshd_config - the file
you're editing is not under a user's control, unlike their
authorized_keys file.

You'd probably need to add other options in there, disabling port
forwarding and such...

I have one concern with the above - the forced command is executed
with the user's shell, with the -c option.  If I'm not mistaken, this
will prevent bash from reading any scripts that could be under the
user's control.

But you'd have to carefully examine the man page for every shell in
/etc/shells, and ferret out ways a user might run commands.  Maybe
either remove shells from /etc/shells, or prevent users from changing
their shells altogether.

For example, on my OS X system, tcsh still runs the user's ~/.tcshrc,
even when run with a -c option.  Although I wasn't able to try it with
ssh & ForceCommand.

Perhaps someone else on the list has more complete knowledge of this?


On 11/14/06, Greg Bell <[EMAIL PROTECTED]> wrote:

ssh lets you restrict the command a user is allowed to run in the 
authorized_keys file.  mostly unknown feature but very
handy.  i have found this useful for allowing users to do just one or two 
things (eg. rsync a particular dir).

see http://www.hackinglinuxexposed.com/articles/20030109.html


Reply via email to