We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Limit Linux Login to execute ssh Only

Medium Priority
451 Views
Last Modified: 2012-05-11
I have sudo privilege on a Linux PC on the company WAN, which I will refer to herein as the "team PC". I would like to provide unlimited access to a handful of people to the team PC. All others logging in should be limited to only being able to execute the command ssh. This limitation enables users outside of my team to use the team PC as a means to access a group of PCs that are isolated from the WAN and interconnected on a private LAN. The team PC has eth0 connected to the WAN and eth1 connected to the LAN. How do I limit non-team users of the team PC to only being able to execute ssh and not use the system for any other purpose?
Comment
Watch Question

CERTIFIED EXPERT

Commented:
So you need them to ssh only to establish the tunnel, correct?
CERTIFIED EXPERT

Commented:
So basically you have to create a restricted user, say, limited

useradd -s /bin/limited  limited
passwd limited

Now create a shell script

vi /bin/limited

 
#!/bin/bash

echo "Greetings!"
echo "Date and time : $(date)"

while :
do
   printf "Enter quit to exit : "
   read response
   if [[ response == 'quit' ]]
   then
         exit
   fi
done

Open in new window


This would give a very limited access just to create ssh tunnels.

Author

Commented:
Seems like the script "limited" could be used by more than one user, which would be a good feature. The script as provided in your solution only addresses a request by the user to quit. I assume that an if statement processing an entry of "ssh" is inferred and that it should execute the ssh command for the user. This would require the logic to be able to handle a typical set of parameters to the ssh command that would be provided by the user. Any other response would essentially be a do-nothing entry by the user. Do I understand you correctly? I wonder if it is possible to embed the ssh command to a particualar target PC on the LAN in the script and then once they terminate that ssh session log out the user?
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Minor syntax error in script if statement. However, overall the solution is sound and fits the bill.
CERTIFIED EXPERT

Commented:
Glad it works for you.  Which syntax error are you talking about?  Would at least like to know.

Author

Commented:
I had to change if [[  response ...   with if [ [ $(response).  I am not proficient in scripting yet, so perhaps I missed something. I just had to put a bit more energy into the effort to utilize your solution. No problem there. You saved me so much time that you won't here any complaints from me. Thanks again.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.