Restrict SSH session to a single program only that's loaded at login?


I was wondering if it was possible to publish a single program via SSH. So say you wanted to have a user called log_man and when they logged in via SSH all they got was 'tail -f /var/log/messages' and that's it. They weren't able to quit to a shell, all they were able to do is login via SSH and immediately got a running tail of the log files. If they tried to quite from tail to gain shell access then it would either give some sort of error message or just drop the ssh session.

Is there an easy way of doing this ?

many thanks
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Can You write a simple script like

cat << EOF > /usr/local/bin/messages-tail

exec /usr/bin/tail -f /var/log/messages

#make it executeable
chmod +x /usr/local/bin/messages-tail

#and change user's shell to that script?
chsh -s /usr/local/bin/messages-tail [username]
In addition to ravenpl's solution, you should also add a full path to your script to /etc/shells

I know 2 more methods to perform specified task. One is to create
".ssh/rc" file in log_man's home directory (under 'root') and write something like:

/usr/bin/tail -f blabla
read 'man sshd' section "LOGIN PROCESS" for more info on this method.

The other way is to generate RSA or DSA key, give it to log_man user and dont' tell him log_man's local password. Then in /home/log_man/.ssh/autourized_keys write this key and specify command="/usr/bin/tail -f filename" in that file.
Read "man sshd" section "AUTHORIZED_KEYS FILE FORMAT" for more info

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
fourlightsonAuthor Commented:
many thanks,.
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Changing shell is the only solution, if security is to be kept.
key command is used only if key based authentication is in place - no effect on password auth
$HOME/.ssh/rc can be overrided by the user
ravenpl, hi.

All methods are equal from security point if view. If /home/log_man/.ssh/rc file is owned by root and have no write access by the log_man (which is recommended configuration in 'man sshd'), user can't change it.

The same with RSA. Even when password authentication is enabled together with rsa based, we may never disclose log_man's password to the user, who should use this 'tail' command, but give him a key file to access the host and it will be the only command he could use there.
ravenpl, in some point you are right,
when we have not only 'ssh' access to the host, but also 'telnet', shell method would the only possible.
> If /home/log_man/.ssh/rc file is owned by root
still can delete it, unless /home/log_man/.ssh/ is owned by root as well.

> we may never disclose log_man's password to the user
or even disable the password, then it's OK.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.