How to restrict shell access?
October 19, 2006 8:42 AM Subscribe
SSHFilter: How to restrict commands available to users who connect to a Linux box for file transfer, presumably via SSH?
posted by adipocere to computers & internet (13 answers total) 2 users marked this as a favorite
I am in the process of moving our minor (less than 100 sites) hosting from a Windows box to a Linux (Red Hat Enterprise Linux 4) box. I'm decent with Windows and had the system fairly well locked-down, with each user sandboxed to their own little portion of the disk. I'm sure the limited number of commands available to FTP users had something to do with the lack of cracking I experienced.
However, as we move from
ftp, with its insecure cleartext password transmission, to
ssh, I have a few concerns about my less-than-trustworthy users. They are less than conscientious and are certainly not security-minded. I've seen professional web development companies ask me for world-writable, world-executable directories without batting an eye; these users act as if it's their own personal Linux box and if they have to hose it and start over every so often, who cares? No, they cannot be turned away. Yes, everyone will sign a security policy, but then will completely ignore it.
1) I want users, as they connect, to land in their portion of the directory tree (that is, their website), and to be locked down into their little directories, without a way to
cd out of their portion of the directory tree, or even look at files elsewhere.
2) I know that the graphical SSH clients are basically drag-and-drop for files (although at least one I know of has
chmod built-in, but they are still executing the equivalent of a handful of commands. How do I lock users down to a handful of commands? If they
ssh in to a shell? I cannot really trust them with
chgrp. I'd rather just consider what commands I should allow, rather than looking for a list of things to deny. I wouldn't mind them using
passwd, but outside of that and a small group of other commands ...
3) I have to structure this around groups - there can be up to four people working on a single site, although a typical user is solo.
4) To make matters even worse, some users I will probably have to elevate to positions of greater trust, allowing them access to a broader range of commands, to
mysql, and so forth.
5) Password transmission must be encrypted.
rrsh looks interesting, but also experimental, so I am not sure I can "sell" this idea. Or should I use some kind of secure FTP server like
vsftpd and only grant
ssh to a handful of trusted users?
Has anyone else done this in what's a hostile environment? What are the pros and cons of your approach? Note: I'm a complete Linux n00b. While I can find a lot of different things in Google, I seem to be getting a great deal of opinions without the reasoning behind it, which makes it difficult to understand why people choose one thing over another.