On Thu, 1 May 2003, Ed Wilts wrote: > On Tue, Apr 29, 2003 at 09:42:29PM -0400, Werner Puschitz wrote: > > > > On Tue, 29 Apr 2003, Ed Wilts wrote: > > > > > I've got a weird problem I'm trying to solve on HP-UX 11.00. One of the > > > ways we've thought it could be solved is if we can restrict ssh to allow > > > only a pre-defined set of users in. Can we restrict which users can use > > > ssh and which can't? For the rest of the users, we're using a > > > restricted shell with telnet, but with ssh, we haven't found a way to > > > prevent ssh from allowing a shell command (e.g. ssh <host> ls -l) and > > > forcing the user to only go through the menu. > > > > For OpenSSH you can specify a forced command in the ~/.ssh/authorized_keys2 > > file. For example, if a script should be executed each time someone > > does ssh to user@xxxx, the ~/.ssh/authorized_keys2 might look like: > > command="your_script" ssh-dss AAAAB3Nza... OpenSSH key > > Thanks for the pointers Werner. We did finally find a solution. > sshd_config does have an AllowGroups parameter that can restrict who can > use the service and who can't. This seems to do the job, at least > according to the docs. > > > For example, to allow people to copy a specific file from a server > > without giving them ssh login or scp, add the following line to > > ~/.ssh/authorized_keys2 on your server: > > command="/bin/cat ~/FileName" ssh-dss AAAAB3Nza... OpenSSH key > > > > On the client node, the user can retrieve this file by running: > > ssh user@xxxxxx > FileName > > I didn't know about this, and I can see where this might be useful in > certain cases. You can also check for passed ssh commands. The daemon reads the command string that was sent by the client into the SSH_ORIGINAL_COMMAND environment variable. For example, try to print the SSH_ORIGINAL_COMMAND variable: YourServer:~/.ssh/authorized_keys2: command="/bin/echo $SSH_ORIGINAL_COMMAND" ssh-dss AAAAB3Nza... OpenSSH key So you can force a script to be executed, and in the script you can check the $SSH_ORIGINAL_COMMAND variable. Werner _______________________________________________ Pam-list@xxxxxxxxxx https://listman.redhat.com/mailman/listinfo/pam-list
