I have a feeling that might not be very robust if you're allowing sftp
or scp to anywhere a user normally has access to - a user could then
download their own authorized_keys file, edit it to give themselves
shell access, and then upload it.
Another option might be to use the Match option in OpenSSH 4.4. I
haven't had a chance to play around with 4.4 yet, so please experiment
with this. But, something like
Match User restricted-user
ForceCommand /usr/libexec/sftp-server
The advantage here is, you do this once to /etc/sshd_config - the file
you're editing is not under a user's control, unlike their
authorized_keys file.
You'd probably need to add other options in there, disabling port
forwarding and such...
I have one concern with the above - the forced command is executed
with the user's shell, with the -c option. If I'm not mistaken, this
will prevent bash from reading any scripts that could be under the
user's control.
But you'd have to carefully examine the man page for every shell in
/etc/shells, and ferret out ways a user might run commands. Maybe
either remove shells from /etc/shells, or prevent users from changing
their shells altogether.
For example, on my OS X system, tcsh still runs the user's ~/.tcshrc,
even when run with a -c option. Although I wasn't able to try it with
ssh & ForceCommand.
Perhaps someone else on the list has more complete knowledge of this?
Regards
Mark
On 11/14/06, Greg Bell <gbell@cisra.canon.com.au> wrote:
ssh lets you restrict the command a user is allowed to run in the
authorized_keys file. mostly unknown feature but very
handy. i have found this useful for allowing users to do just one or two
things (eg. rsync a particular dir).
see http://www.hackinglinuxexposed.com/articles/20030109.html
~gb
