Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
OpenSSH patch to selectively override a user's shell
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Unsupported Software
View previous topic :: View next topic  
Author Message
Buge
n00b
n00b


Joined: 29 Feb 2004
Posts: 60
Location: Bern, Switzerland

PostPosted: Wed Aug 03, 2005 4:46 pm    Post subject: OpenSSH patch to selectively override a user's shell Reply with quote

Purpose

At the high performance cluster I work at, users should be able to log in via ssh to most nodes. However, only scp and sftp should be possible on the master nodes. This means that we have to set the users shell to an alternative on these nodes that will only allow scp and sftp. An example of such a shell is rssh. OpenSSH however, does not allow you to natively change a user's shell depending on his username. This patch adds this functionality.


Availability

You can download a modified openssh ebuild that you can place in your portage overlay or just the patch file for openssh 4.1-p1.



Usage

After emerging the modified version of openssh, you will be able to use three new settings in your sshd_config:
  • OverrideShell - Shell to be used if the user's shell will be overridden (e.g. OverrideShell /usr/bin/rssh).
  • AllowShell - Space separated list of users that should be allowed to use their shell as specified in /etc/passwd or in LDAP or wherever your authenticating from. If this is set, any user that is not listed here will receive the shell specified in OverrideShell.
  • DenyShell - Space separated list of users who will be denied their shell specified in /etc/passwd or wherever and will receive the OverrideShell instead. If only this is set, all other users will get their normal shell.


DenyShell takes precedence over AllowShell. If OverrideShell is not specified, /usr/bin/rssh will be used by default.


Examples

To deny the normal shell to all users except for root and admin and provide them with rssh as a shell instead /etc/ssh/sshd_config should contain following lines:
Code:

# Use a shell that allows us to use scp and sftp but won't allow us to log in:
OverrideShell /usr/bin/rssh
# Only root and admin are allowed to log in directly:
AllowShell root admin


To allow all users to log in except user1 and user2 who should only be able to use scp and sftp:
Code:

# Use a shell that allows us to use scp and sftp but won't allow us to log in:
OverrideShell /usr/bin/rssh
# Everyone may log in except for user1 and user2
DenyShell user1 user2



Bugs / Security

None known. I also don't believe that this leads to security implications if used wisely. Of course, you should be aware that if a user's shell is set to /bin/false and you override it with this patch a user will gain more permission than he would have otherwise been allowed to have.

If you believe that there is a problem with my patch, please let me know.


Finally

Hope some of you can use the patch. Please give me feedback if you do!

Thanks!
Back to top
View user's profile Send private message
adsmith
Veteran
Veteran


Joined: 26 Sep 2004
Posts: 1386
Location: NC, USA

PostPosted: Wed Aug 03, 2005 6:14 pm    Post subject: Reply with quote

cool! thanks
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Unsupported Software All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum