View Full Version : Restrict user to ssh
7th April 2011, 09:42 AM
I m new with Fedora 14, and i have a basic business case :
I want to setup a user which should
- only connect to the server with SSH (ex.: no X11 connection).
- cannot change its shell
- cannot do any SU / SUDO command
This user is very similar to a SERVICE user, as I expect him only to run a single program (its shell).
7th April 2011, 10:53 AM
Google for 'chroot jail howto' and read the first few links:
http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/ <- Quick setup
http://www.kegel.com/crosstool/current/doc/chroot-login-howto.html <- Some background
http://www.unixwiz.net/techtips/chroot-practices.html <- How to avoid escaping the chroot jail
7th April 2011, 09:37 PM
useradd -Z guest_u myrestrictednonsuidsgidsshonlyuser
7th April 2011, 09:55 PM
You do realize there are ways to make ssh forward the X protocol even if you disable the built in X forwarding. It is a bit of a pain, but possible. One thing of note is that it is similar to sshfs...
and changing your shell is as simple as an exec.
So unless you are going to write your own shell for the user, or go through the more elaborate jail (where the user cannot execute anything), you may be in for a bit of difficulty.
One thing you might also try is to mount his home directory noexec,nosuid,nosgid.
7th April 2011, 10:14 PM
A user under the users group is pretyy much there do to selinux.
7th April 2011, 10:35 PM
Might be simpler to just put the user in his own label, without the ability to transition to anything else...
8th April 2011, 08:08 AM
sesearch -A -SC -s guest_t -T | grep type_transition | grep process
type_transition guest_t passwd_exec_t : process passwd_t;
type_transition guest_t chfn_exec_t : process chfn_t;
type_transition guest_t loadkeys_exec_t : process loadkeys_t;
Thats pretty much all guest can domain transition to:
passwd_t domain to change its password
chfn_t domain to change finder information
loadkeys_t domain to load keyboard mappings
But you could create a similar domain without access to those aswell.
Remember SELinux is a framework, the policy is what you make it.
24th April 2011, 12:41 PM
Setting the shell to a restricted shell will help somewhat.
vBulletin® v3.8.7, Copyright ©2000-2013, vBulletin Solutions, Inc.