# Limiting commands available to users via SSH

## pachanga

Folks, how do i properly limit commands available to users via SSH? Say, i'd like them only to execute svn command and nothing else. I tried googling but found nothing helpful...

Thanks in advance.

----------

## daywalkerNT

try looking into PAM (Pluggable Authentication Module), quite extensive, should be already

installed (/etc/pam.d)

another way (without delving deeeeeep into PAM) would be to play around with a user's 

permissions  :Smile: 

ie. you don't want users other than root to access /usr/sbin

block off access

----------

## pachanga

 *daywalkerNT wrote:*   

> 
> 
> another way (without delving deeeeeep into PAM) would be to play around with a user's 
> 
> permissions 
> ...

 

I think in this case i'll have to change permissions of all system important executables(rm, mv, cp, mysql, etc) and this is really tedious IMHO... Furthermore i'll have to do it every time i emerge some system critical package, e.g mysql  :Sad: 

Is this PAM thing so complicated?

----------

## daywalkerNT

No I can't say it's complicated, its definetely worth taking a look at.

here's something neat, for a user (excluding root) to `su` , they'd have to be part of the "wheel" group.

true, making all the permission changes to the dir's that you want to protect can be 

tedious... as a spare project, you could create a mini shell script.

if you echo $PATH

/usr/local/bin:/usr/bin:/bin:/opt/bin:/usr/i386-pc-linux-gnu/gcc-bin/3.3.5-20050130:/usr/qt/3/bin:/usr/kde/3.4/bin

for the user, you can pick a dir. and test with:

 - PAM

 - permissions

even without playing around yet, common users have a few restrictions to begin with

common_user@server /etc/pam.d $ cat groupadd

cat: groupadd: Permission denied

common_user@server /etc/ssh $ more sshd_config

sshd_config: Permission denied

common_user@server /etc/ssh $

----------

## Janne Pikkarainen

I wouldn't take the PAM/chmod route, it's too much work and it's too much to miss or mess something.

Instead I would install some kind of shell wrapper and put that as shell for those accounts who need to be restricted. A shell wrapper could validate every command passed to it and if it's not an allowed command, it would be rejected. Kind of a "shell firewall".  :Smile: 

I don't know if there are any shell wrappers in Portage, but try to Google for "ssh restricted shell wrapper", that should do it. And don't pick the first one, try to look for something that looks reliable... there has been ways to bypass shell wrappers in the past.

Maybe pam_chroot (and ssh with chroot patch) would be a good addition, too.

----------

## daywalkerNT

Thats a neat idea actually

----------

## pachanga

 *Janne Pikkarainen wrote:*   

> 
> 
> I don't know if there are any shell wrappers in Portage, but try to Google for "ssh restricted shell wrapper", that should do it. And don't pick the first one, try to look for something that looks reliable... there has been ways to bypass shell wrappers in the past.
> 
> 

 

Thank you so much, i'll start googling at once  :Smile: 

----------

## pachanga

I googled around a bit and didn't find the wrapper which would suit me exactly  :Sad: 

I'm such a security noobie...and i would appreciate any more detailed information regarding the ssh wrapper.

----------

## Esel Theo

Though I don't use it myself and don't have any experience, app-shells/rssh seems to do what you are looking for.

----------

## pachanga

 *Esel Theo wrote:*   

> Though I don't use it myself and don't have any experience, app-shells/rssh seems to do what you are looking for.

 

Hmm...i'll have another look at it because i thought it only allowed very limited set of commands...

----------

## abaelinor

noLast edited by abaelinor on Mon Sep 15, 2008 2:30 pm; edited 1 time in total

----------

## pachanga

 *djlosch wrote:*   

> i dunno if it helps, but look into the scponly project.  it's an actual shell that chroots a user into a jail that only has scp file transfer functions in it.
> 
> 

 

Thanks i'll give it a try and report later about results...

----------

## Kazaza

 *pachanga wrote:*   

> 
> 
> Thanks i'll give it a try and report later about results...

 

Did you find out if it was usable, as i'm looking for the same thing... ?

----------

## pachanga

 *Kazaza wrote:*   

> 
> 
> Did you find out if it was usable, as i'm looking for the same thing... ?

 

Well i wanted to limit users so that they would be only able to run only svn specific commands. And it turned out that using Apache2 with Web Dav enabled is much more suitable for this task. Back to your question, no i didn't try it but found several nice links which may be useful to you:

http://olivier.sessink.nl/jailkit/howtos_chroot_shell.html

http://gentoo-wiki.com/HOWTO_Jail

http://gentoo-wiki.com/HOWTO_chroot_login

http://gentoo-wiki.com/HOWTO_JailKit

----------

## Kazaza

Thanks... the ones from gentoo-wiki I have already seen, but I havent got any of them to work really as I want them to do... the link to jailkit I have to check out... in case I missed somthing when I tried to set it up...... thanks again...

----------

