[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Limiting ssh usage on remote machine.
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Limiting ssh usage on remote machine.
- From: Chuck Yerkes <chuck+obsd_(_at_)_2003_(_dot_)_snew_(_dot_)_com>
- Date: Wed, 10 Dec 2003 14:54:23 -0500
The archives for the OpenSSH list are 95% spam, so I disbelieve
that it's useful. So I'm here.
Okay, I've fought trying to get Solaris 9 ssh (openssh for all
intents and porpoises) to talk to f-secure ssh. Going openssh
all the way until I get caught:
The challenge: push files to 4 remote machines, then run "su - auser -c make"
The chosen solution: rdist (alternative suggestions welcome, bleeding
edge experiments not so welcome.)
The person (actually process) on the "core" machine will run
edit files, then run "make"
This make will trigger the rdist to push out the files
and run the make on the remote side.
No passwords will be given (the process doing it will have been
authenticated already). Passwordless keys are dangerous if
they get around, but if I could restrict it to "this key, from
this host only", then that would be fine.
1) Because of this, the ssh from "core" to "remote" must happen without
passwords and should happen with keys.
I've done this before, I've got little recollection of what recipe I
2) The tricky part, that f-secure can apparently do, but I haven't
succeeded, is to have the user when it ssh's to the remote machine
be captured and only allow a couple programs to run.
What I want to avoid is a person on the core machine doing an
ssh to the remote machine and getting a shell and hanging out.
Since the "user" needn't own the home dir, I can use a .profile
that captures the user some (if interactive then bail), but
I'm wondering if openssh has a (new since I pored through the docs)
feature that might say "you can run THESE 4 programs only".
So ssh access from one (specific) machine to another without interaction.
Restricting what the account can do once "on" that machine.