View previous topic :: View next topic |
Author |
Message |
Buge n00b
Joined: 29 Feb 2004 Posts: 60 Location: Bern, Switzerland
|
Posted: Wed Aug 03, 2005 4:46 pm Post subject: OpenSSH patch to selectively override a user's shell |
|
|
Purpose
At the high performance cluster I work at, users should be able to log in via ssh to most nodes. However, only scp and sftp should be possible on the master nodes. This means that we have to set the users shell to an alternative on these nodes that will only allow scp and sftp. An example of such a shell is rssh. OpenSSH however, does not allow you to natively change a user's shell depending on his username. This patch adds this functionality.
Availability
You can download a modified openssh ebuild that you can place in your portage overlay or just the patch file for openssh 4.1-p1.
Usage
After emerging the modified version of openssh, you will be able to use three new settings in your sshd_config:
- OverrideShell - Shell to be used if the user's shell will be overridden (e.g. OverrideShell /usr/bin/rssh).
- AllowShell - Space separated list of users that should be allowed to use their shell as specified in /etc/passwd or in LDAP or wherever your authenticating from. If this is set, any user that is not listed here will receive the shell specified in OverrideShell.
- DenyShell - Space separated list of users who will be denied their shell specified in /etc/passwd or wherever and will receive the OverrideShell instead. If only this is set, all other users will get their normal shell.
DenyShell takes precedence over AllowShell. If OverrideShell is not specified, /usr/bin/rssh will be used by default.
Examples
To deny the normal shell to all users except for root and admin and provide them with rssh as a shell instead /etc/ssh/sshd_config should contain following lines:
Code: |
# Use a shell that allows us to use scp and sftp but won't allow us to log in:
OverrideShell /usr/bin/rssh
# Only root and admin are allowed to log in directly:
AllowShell root admin
|
To allow all users to log in except user1 and user2 who should only be able to use scp and sftp:
Code: |
# Use a shell that allows us to use scp and sftp but won't allow us to log in:
OverrideShell /usr/bin/rssh
# Everyone may log in except for user1 and user2
DenyShell user1 user2
|
Bugs / Security
None known. I also don't believe that this leads to security implications if used wisely. Of course, you should be aware that if a user's shell is set to /bin/false and you override it with this patch a user will gain more permission than he would have otherwise been allowed to have.
If you believe that there is a problem with my patch, please let me know.
Finally
Hope some of you can use the patch. Please give me feedback if you do!
Thanks! |
|
Back to top |
|
|
adsmith Veteran
Joined: 26 Sep 2004 Posts: 1386 Location: NC, USA
|
Posted: Wed Aug 03, 2005 6:14 pm Post subject: |
|
|
cool! thanks |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|