On Tue, Apr 29, 2003 at 09:42:29PM -0400, Werner Puschitz wrote:
>
> On Tue, 29 Apr 2003, Ed Wilts wrote:
>
> > I've got a weird problem I'm trying to solve on HP-UX 11.00. One of the
> > ways we've thought it could be solved is if we can restrict ssh to allow
> > only a pre-defined set of users in. Can we restrict which users can use
> > ssh and which can't? For the rest of the users, we're using a
> > restricted shell with telnet, but with ssh, we haven't found a way to
> > prevent ssh from allowing a shell command (e.g. ssh <host> ls -l) and
> > forcing the user to only go through the menu.
>
> For OpenSSH you can specify a forced command in the ~/.ssh/authorized_keys2
> file. For example, if a script should be executed each time someone
> does ssh to user@xxxx, the ~/.ssh/authorized_keys2 might look like:
> command="your_script" ssh-dss AAAAB3Nza... OpenSSH key
Thanks for the pointers Werner. We did finally find a solution.
sshd_config does have an AllowGroups parameter that can restrict who can
use the service and who can't. This seems to do the job, at least
according to the docs.
> For example, to allow people to copy a specific file from a server
> without giving them ssh login or scp, add the following line to
> ~/.ssh/authorized_keys2 on your server:
> command="/bin/cat ~/FileName" ssh-dss AAAAB3Nza... OpenSSH key
>
> On the client node, the user can retrieve this file by running:
> ssh user@xxxxxx > FileName
I didn't know about this, and I can see where this might be useful in
certain cases.
Thanks again,
.../Ed
--
Ed Wilts, Mounds View, MN, USA
mailto:ewilts@xxxxxxxxxx
Member #1, Red Hat Community Ambassador Program
_______________________________________________
Pam-list@xxxxxxxxxx
https://listman.redhat.com/mailman/listinfo/pam-list
