Restricting SSH access to a given command

From Notes_Wiki

Home > CentOS > CentOS 6.x > OpenSSH server configuration > Restricting SSH access to a given command

Sometimes it is desired to restrict SSH access for a user only to a specific command. In case of file transfer the access to a server can be restricted to a folder using Chrooting sftp users to home directory with openSSH. But in other cases such as version-control using svn, git or bzr over SSH where the repository is not in users home directory, a different configuraiton is required.

For bazaar one can use following configuration in /etc/ssh/sshd_config:

Match User <user-name>
        X11Forwarding no
        AllowTcpForwarding no
	AllowAgentForwarding no
	PermitTunnel no
	GatewayPorts no
	Banner "Only bzr access is allowed"
        ForceCommand bzr serve --inet --directory=/var/www/vlead-ras --allow-writes

Steps for bazaar have been learned from http://thias.marmotte.net/2009/05/creating-a-restricted-bzrssh-smart-server/


For svn one can use following configuration in /etc/ssh/sshd_config

Match User <user-name>
        X11Forwarding no
        AllowTcpForwarding no
	AllowAgentForwarding no
	PermitTunnel no
	GatewayPorts no
	Banner "Only svn access is allowed"
        ForceCommand svnserve -t


For git one can use following configuration in /etc/ssh/sshd_config

Match User saurabh
        X11Forwarding no
        AllowTcpForwarding no
	AllowAgentForwarding no
	PermitTunnel no
	GatewayPorts no
	Banner "Only git access is allowed"
        ForceCommand perl -e 'exec qw(git-shell -c), $ENV{SSH_ORIGINAL_COMMAND}'

For git one can also assign "git shell" as login shell as specified in man page or at http://stackoverflow.com/questions/5871652/running-a-secure-git-server-over-ssh-without-gitosis-gitolite


git and subversion methods have been learned from http://joeyh.name/blog/entry/locking_down_ssh_authorized_keys/

Other extreme way of disabling SSH from everyone except root is:

PermitTunnel no

Match User *,!root
  ForceCommand perl -e 'exec qw(git-shell -c), $ENV{SSH_ORIGINAL_COMMAND}'
  X11Forwarding no
  AllowTcpForwarding no
  AllowAgentForwarding no
  GatewayPorts no
  Banner "Only git access is allowed"


Steps at http://www.sakana.fr/blog/2008/05/07/securing-automated-rsync-over-ssh/ show how to restrict access to rsync for a given directory with selected switches/options.


Home > CentOS > CentOS 6.x > OpenSSH server configuration > Restricting SSH access to a given command