Re: forced-commands-only option for any user, not just root
- From: Sensei <senseiwa@xxxxxxx>
- Date: Thu, 22 Jun 2006 19:49:41 +0200
On 2006-06-22 14:36:49 +0200, gbeckowski@xxxxxxxxx said:
Hi,
Our environment:
AIX v5.2 and v5.3
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x009060bf
We have a set of usernames on the hosts that we want to NOT have
interactive access. These are accounts that are not unique to an
individual person, we refer to them as group accounts. Our auditors
require that interactive access be restricted to the inidividual
accounts only and that su to the group account is fine since it
provides an audit trail. These group accounts are used to run some
scripts and a trust relationship between a number of unix boxes is
allowed, meaning the group account is allowed to do 'ssh remote-host
command'.
Looks like an option for root (PermitRootLogin set to
forced-commands-only) is the functionality we need but for these
non-root accounts.
Anyone know if there is something in sshd_config to get the same
functionality? Or has anyone faced a similar set of requirements and
how did you address it?
In sshd no, but you can use something a la restricted shell.
--
Sensei <senseiwa@xxxxxxx>
The optimist thinks this is the best of all possible worlds.
The pessimist fears it is true. [J. Robert Oppenheimer]
.
- References:
- forced-commands-only option for any user, not just root
- From: gbeckowski
- forced-commands-only option for any user, not just root
- Prev by Date: Re: openssh known_hosts question
- Next by Date: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==
- Previous by thread: Re: forced-commands-only option for any user, not just root
- Next by thread: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==
- Index(es):
Relevant Pages
|
|
