Portal Home > Knowledgebase > Articles Database > Limiting ssh access
Limiting ssh access
| Posted by captain_squash, 08-16-2011, 08:45 PM |
| I was just wondering if would be possible to setup a user account for CentOS (ssh) where the user would only be allowed to run top to keep an eye on processes and kill any that were using too many resources.
I wouldn't want this user to browse anywhere on the server or be able to run any other commands or only just basic commands.
Any help would be great, thanks!
|
| Posted by 8088, 08-16-2011, 08:50 PM |
| Searching for 'chroot ssh' or 'jail ssh' will point you in the right direction.
|
| Posted by Ronald_Craft, 08-16-2011, 09:13 PM |
| Give this a whirl: http://www.cyberciti.biz/tips/howto-...ail-setup.html
The instructions are a few years old, but I don't see anything in there that wouldn't work by today's standards.
|
| Posted by fireboltz, 08-17-2011, 05:27 AM |
| Its sometimes necessary to limit who has access to a server via SSH. Most Linux security hardening checklist today require this to be enforced.
Fortunately this can be easily done with openSSH. Just edit the /etc/ssh/sshd_config file and add the desired directives shown below. You dont need them all, just use what suits you needs.
openSSH provides 4 directives, AllowUsers, AllowGroups, DenyUsers and DenyGroups
Only users buddy, john and doe will be able to log in via ssh.
Only users within groups sysadmin and bkpadmin will be able to log in via ssh.
This is the opposite of AllowUsers. All users except for rambo and tina will be able to log in via ssh.
This is the opposite of AllowGroups. All groups except for hr and payroll will be able to log in via ssh
|
| Posted by wartungsfenster, 08-17-2011, 06:04 AM |
| basic commands" will almost always go wrong...
for allowing only top and killing processes, this is doable -
you'd make a shell script that is run as the users' shell.
First, this should script should use "trap" to disable any special keys like ctrl-c.
Second, it would be running in an endless loop presenting a menu that allows the user to select either top or killing a process.
Third, when you read that selection you need to sanitize this input so that he can't inject any commands.
example:
what process id do you want to kill?
$(/usr/bin/chsh) apache
That way he could escape to run some stuff when you think he's just killing a process. If you only allow numbers to be entered, then it should be possible to avoid this.
Alternatively, only give him a list of process names to pick from.
Last, only give the user read+exec permission on the script and the home directory (that might be tricky)
Otherwise, the user can still use scp / sftp to mess around
Footnote:
There are also so-called "restricted shells" available, where you can allow/disallow commands.
as far as I know they all don't work
If you need it really secure, SELinux might be a better choice.
|
| Posted by Ada G, 08-18-2011, 02:33 AM |
| If you have cPanel/WHM you can set the account to JailShelled and that would limit their SSH access.
|
| Posted by amaziah, 08-18-2011, 11:13 AM |
| Make that user a sudo user and give permissions to execute only the command top or other commands that you want to allow. This link will help you in creating a sudo user
|
| Posted by eth00, 08-18-2011, 01:18 PM |
| Unless you want to design some fancy script that may not be completely secure your best bet would be using sudo. I would suggest just going with sudo.
|
| Posted by wartungsfenster, 08-18-2011, 02:37 PM |
| how do you make the user only use sudo?
he has to be able to log in to call sudo and when he can log in he can already run top/kill (plus all the stuff he's supposed to not be able to run)
Is there some sudo-shell-wrapper that does that?
|
| Posted by eth00, 08-19-2011, 09:18 AM |
| Fair enough, didn't fully think that idea through. Yes they would need UID0 powers in order to kill the PID by another user.
|
| Posted by brianoz, 08-20-2011, 09:25 AM |
| sudo is the right way to do it, unless I've missed something on a cursory read - just use the sudoers file to only allow them to run a script that does the killing safely.
|
Add to Favourites 
Print this Article
Also Read
