Difference between revisions of "Restricting SSH access to a given command"
(Created page with "<yambe:breadcrumb>OpenSSH_server_configuration|OpenSSH</yambe:breadcrumb> =Restricting SSH access to a given command= Sometimes it is desired to restrict SSH access for a user...") |
m |
||
Line 47: | Line 47: | ||
git and subversion methods have been learned from http://joeyh.name/blog/entry/locking_down_ssh_authorized_keys/ | git and subversion methods have been learned from http://joeyh.name/blog/entry/locking_down_ssh_authorized_keys/ | ||
Other extreme way of disabling SSH from everyone except root is: | |||
<pre> | |||
PermitTunnel no | |||
Match User *,!root | |||
ForceCommand perl -e 'exec qw(git-shell -c), $ENV{SSH_ORIGINAL_COMMAND}' | |||
X11Forwarding no | |||
AllowTcpForwarding no | |||
AllowAgentForwarding no | |||
GatewayPorts no | |||
Banner "Only git access is allowed" | |||
</pre> | |||
Revision as of 10:22, 11 April 2015
<yambe:breadcrumb>OpenSSH_server_configuration|OpenSSH</yambe:breadcrumb>
Restricting SSH access to a given command
Sometimes it is desired to restrict SSH access for a user only to a specific command. In case of file transfer the access to a server can be restricted to a folder using Chrooting sftp users to home directory with openSSH. But in other cases such as version-control using svn, git or bzr over SSH where the repository is not in users home directory, a different configuraiton is required.
For bazaar one can use following configuration in /etc/ssh/sshd_config:
Match User <user-name> X11Forwarding no AllowTcpForwarding no AllowAgentForwarding no PermitTunnel no GatewayPorts no Banner "Only bzr access is allowed" ForceCommand bzr serve --inet --directory=/var/www/vlead-ras --allow-writes
Steps for bazaar have been learned from http://thias.marmotte.net/2009/05/creating-a-restricted-bzrssh-smart-server/
For svn one can use following configuration in /etc/ssh/sshd_config
Match User <user-name> X11Forwarding no AllowTcpForwarding no AllowAgentForwarding no PermitTunnel no GatewayPorts no Banner "Only svn access is allowed" ForceCommand svnserve -t
For git one can use following configuration in /etc/ssh/sshd_config
Match User saurabh X11Forwarding no AllowTcpForwarding no AllowAgentForwarding no PermitTunnel no GatewayPorts no Banner "Only git access is allowed" ForceCommand perl -e 'exec qw(git-shell -c), $ENV{SSH_ORIGINAL_COMMAND}'
For git one can also assign "git shell" as login shell as specified in man page or at http://stackoverflow.com/questions/5871652/running-a-secure-git-server-over-ssh-without-gitosis-gitolite
git and subversion methods have been learned from http://joeyh.name/blog/entry/locking_down_ssh_authorized_keys/
Other extreme way of disabling SSH from everyone except root is:
PermitTunnel no Match User *,!root ForceCommand perl -e 'exec qw(git-shell -c), $ENV{SSH_ORIGINAL_COMMAND}' X11Forwarding no AllowTcpForwarding no AllowAgentForwarding no GatewayPorts no Banner "Only git access is allowed"
Steps at http://www.sakana.fr/blog/2008/05/07/securing-automated-rsync-over-ssh/ show how to restrict access to rsync for a given directory with selected switches/options.
<yambe:breadcrumb>OpenSSH_server_configuration|OpenSSH</yambe:breadcrumb>