On Mon, Feb 17, 2014 at 02:21:45PM +0000, Richard Heasman wrote: > Good afternoon, > > Firstly, thanks for your ongoing development and good work. > > I have a question that I would like to pose to you, as I have not found > any satisfactory answer despite long research. > > Background: > We use ssh keys to distribute code and run commands. These are > appropriately controlled and logged. However I wish to stop > users/administrators using these as a back-door to the other systems. I > have configured the "notty" option on the authorised_keys file, yet this > still does not prevent the following: > > ssh SERVER ksh > > This will not return a prompt but will allow commands to be run > interactively. > > Do you have any recommendation / setting that would prevent this?
It seems you have to disallow the use of any command over ssh. One way is to force the command via authorized_keys (see sshd(8)) into a trusted program, e.g /bin/sh or /bin/ksh in restricted mode and then limit that restricted shell's command set. > > Regards, > > Richard > Registered Office: Inveralmond House 200 Dunkeld Road Perth PH1 3AQ > Registered in Scotland No. SC117119 > www.sse.com > > ********************************************************************** -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
