HowTo Disable execution of commands whit ssh and scp/sftp

From: Dario Lesca (d.lesca_at_solinos.it)
Date: 03/23/04

  • Next message: Uejio, Wayne (Corporate): "passing in a passphrase from a file to ssh-add"
    To: secureshell@securityfocus.com
    Date: Tue, 23 Mar 2004 10:10:35 +0100
    
    

    Hi, i am not subsribe to ML, but I have a simple question, if I must
    subscribe to ML for post, I will do it.

    My question:

    Howto allow only the execution of one procedure via ssh an disable the
    execution of any other command and the scp/sftp service?

    OK; ssh user@host
    NO: ssh user@host cat /etc/passwd
    NO: scp user@host:/etc/passwd /tmp
    NO: sftp user@host

    I have found this solution, is a bad solution or not?

    The target (for example) is assign to remote generic user the
    possibility to run a single command (setup, or another), and only that
    one!

    [root@igloo root]# cat /usr/local/bin/ssh.sh
    #!/bin/bash
    echo $0 $*
    export DISPLAY=
    exec /usr/bin/setup
    [root@igloo root]# chmod 755 /usr/local/bin/ssh.sh
    [root@igloo root]# useradd -s /usr/local/bin/ssh.sh sshuser
    [root@igloo root]# passwd sshuser

    Now Test all the metod

    > >OK; ssh user@host
    [root@igloo root]# ssh sshuser@localhost
    sshuser@localhost's password:
    /usr/local/bin/ssh.sh
    You are attempting to run "setup" which requires administrative
    privileges, but more information is needed in order to do so.
    Password for root:<CTRL C>
    Connection to localhost closed.
    [root@igloo root]#

    Ok, the command run propertly! ...
    ... via sudo then I can disable the password request ...

    Now test other case ... I do not want that these work ....

    > >NO: ssh user@host cat /etc/passwd
    [root@igloo root]# ssh sshuser@localhost cat /etc/passwd
    sshuser@localhost's password:
    /usr/local/bin/ssh.sh -c cat /etc/passwd
    [root@igloo root]#

    NOT WORK! good!

    > >NO: scp user@host:/etc/passwd .
    [root@igloo root]# scp sshuser@localhost:/etc/passwd .
    sshuser@localhost's password:
    /usr/local/bin/ssh.sh -c scp -f /etc/passwd
    [root@igloo root]# ls passwd
    ls: passwd: No such file or directory
    [root@igloo root]#

    NOT WORK! good!

    > >NO: sftp user@host
    [root@igloo root]# sftp sshuser@localhost
    Connecting to localhost...
    sshuser@localhost's password:
    Received message too long 796226418
    [root@igloo root]#

    NOT WORK!

    This is all .... some suggest?

    Many thank for your attention.

    -- 
    Dario Lesca <d.lesca@solinos.it>
    

  • Next message: Uejio, Wayne (Corporate): "passing in a passphrase from a file to ssh-add"

    Relevant Pages

    • Re: scp non root
      ... I often see people advise to disable root ssh login access. ... The scp command is "okay" but not a great command. ... I highly recommend using rsync for copies across ...
      (Debian-User)
    • Re: HowTo Disable execution of commands whit ssh and scp/sftp
      ... > give you a fair slice of the password file in a different form. ... > a limited set of commands as root. ... command, and only that one! ... # ssh sshuser@localhost ...
      (Fedora)
    • Re: Preseeded setting on openssh-server ignored
      ... to use so we mustn't allow root to log in via ssh. ... But no ssh root logins allowed. ... debconf-get-selections from an example install is instructive. ... passwd passwd/user-fullname string Uncrackable ...
      (Debian-User)
    • RE: Linux hacked
      ... Also, what exactly did the history file show, can you paste it into a mail ... > First let me say I'm a security novice. ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
      (Security-Basics)
    • Re: How to start a daemons remotely using ssh
      ... First of all I am new to ssh and linux security however I just ... I am thinking that using ssh to connect to the machine and then use ... Thousands of people use remote ssh command line access for this sort ... you often need to be root to do these config changes. ...
      (comp.security.ssh)