Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 351
  • Last Modified:

Limit Linux Login to execute ssh Only

I have sudo privilege on a Linux PC on the company WAN, which I will refer to herein as the "team PC". I would like to provide unlimited access to a handful of people to the team PC. All others logging in should be limited to only being able to execute the command ssh. This limitation enables users outside of my team to use the team PC as a means to access a group of PCs that are isolated from the WAN and interconnected on a private LAN. The team PC has eth0 connected to the WAN and eth1 connected to the LAN. How do I limit non-team users of the team PC to only being able to execute ssh and not use the system for any other purpose?
0
bbrms
Asked:
bbrms
  • 4
  • 3
1 Solution
 
farzanjCommented:
So you need them to ssh only to establish the tunnel, correct?
0
 
farzanjCommented:
So basically you have to create a restricted user, say, limited

useradd -s /bin/limited  limited
passwd limited

Now create a shell script

vi /bin/limited

 
#!/bin/bash

echo "Greetings!"
echo "Date and time : $(date)"

while :
do
   printf "Enter quit to exit : "
   read response
   if [[ response == 'quit' ]]
   then
         exit
   fi
done

Open in new window


This would give a very limited access just to create ssh tunnels.
0
 
bbrmsAuthor Commented:
Seems like the script "limited" could be used by more than one user, which would be a good feature. The script as provided in your solution only addresses a request by the user to quit. I assume that an if statement processing an entry of "ssh" is inferred and that it should execute the ssh command for the user. This would require the logic to be able to handle a typical set of parameters to the ssh command that would be provided by the user. Any other response would essentially be a do-nothing entry by the user. Do I understand you correctly? I wonder if it is possible to embed the ssh command to a particualar target PC on the LAN in the script and then once they terminate that ssh session log out the user?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
farzanjCommented:
I am assuming, based on some question I answered previously though not related to you, that your users will have Windows desktop and would use PuTTY or similar software and would only want to ssh to establish ssh tunnels, so that they are able to use any other software utilizing those tunnels.

You can make the script do whatever in a controlled fashion.  If you notice -s option specifies user's login shell.  So, to restrict the user, I am not giving any login shell to the user because that provides additional capabilities to the users.  So basically, I am providing a script instead of a shell.  Sure, feel free to add whatever you would like the users to have access to.  In one organizations, I provided menu of options and the users could use menus to do limited functions that they were authorized to.

Yes, it can be a common password and everyone can use this same account.
0
 
bbrmsAuthor Commented:
Minor syntax error in script if statement. However, overall the solution is sound and fits the bill.
0
 
farzanjCommented:
Glad it works for you.  Which syntax error are you talking about?  Would at least like to know.
0
 
bbrmsAuthor Commented:
I had to change if [[  response ...   with if [ [ $(response).  I am not proficient in scripting yet, so perhaps I missed something. I just had to put a bit more energy into the effort to utilize your solution. No problem there. You saved me so much time that you won't here any complaints from me. Thanks again.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now