[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 423
  • Last Modified:

Restrict SSH session to a single program only that's loaded at login?

Hi

I was wondering if it was possible to publish a single program via SSH. So say you wanted to have a user called log_man and when they logged in via SSH all they got was 'tail -f /var/log/messages' and that's it. They weren't able to quit to a shell, all they were able to do is login via SSH and immediately got a running tail of the log files. If they tried to quite from tail to gain shell access then it would either give some sort of error message or just drop the ssh session.

Is there an easy way of doing this ?

many thanks
Scott
0
fourlightson
Asked:
fourlightson
  • 3
  • 3
2 Solutions
 
ravenplCommented:
Can You write a simple script like

cat << EOF > /usr/local/bin/messages-tail
#!/bin/bash

exec /usr/bin/tail -f /var/log/messages
EOF

#make it executeable
chmod +x /usr/local/bin/messages-tail

#and change user's shell to that script?
chsh -s /usr/local/bin/messages-tail [username]
0
 
NopiusCommented:
In addition to ravenpl's solution, you should also add a full path to your script to /etc/shells

I know 2 more methods to perform specified task. One is to create
".ssh/rc" file in log_man's home directory (under 'root') and write something like:

/home/log_man/.ssh/rc:
--[cut]--
/usr/bin/tail -f blabla
exit
--[cut]--
read 'man sshd' section "LOGIN PROCESS" for more info on this method.

The other way is to generate RSA or DSA key, give it to log_man user and dont' tell him log_man's local password. Then in /home/log_man/.ssh/autourized_keys write this key and specify command="/usr/bin/tail -f filename" in that file.
Read "man sshd" section "AUTHORIZED_KEYS FILE FORMAT" for more info
0
 
fourlightsonAuthor Commented:
many thanks,.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
ravenplCommented:
Changing shell is the only solution, if security is to be kept.
key command is used only if key based authentication is in place - no effect on password auth
$HOME/.ssh/rc can be overrided by the user
0
 
NopiusCommented:
ravenpl, hi.

All methods are equal from security point if view. If /home/log_man/.ssh/rc file is owned by root and have no write access by the log_man (which is recommended configuration in 'man sshd'), user can't change it.

The same with RSA. Even when password authentication is enabled together with rsa based, we may never disclose log_man's password to the user, who should use this 'tail' command, but give him a key file to access the host and it will be the only command he could use there.
0
 
NopiusCommented:
ravenpl, in some point you are right,
when we have not only 'ssh' access to the host, but also 'telnet', shell method would the only possible.
0
 
ravenplCommented:
> If /home/log_man/.ssh/rc file is owned by root
still can delete it, unless /home/log_man/.ssh/ is owned by root as well.

> we may never disclose log_man's password to the user
or even disable the password, then it's OK.
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now