Restricting SSH access to a given command

From Notes_Wiki
Revision as of 05:01, 28 June 2013 by Saurabh (talk | contribs) (Created page with "<yambe:breadcrumb>OpenSSH_server_configuration|OpenSSH</yambe:breadcrumb> =Restricting SSH access to a given command= Sometimes it is desired to restrict SSH access for a user...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

<yambe:breadcrumb>OpenSSH_server_configuration|OpenSSH</yambe:breadcrumb>

Restricting SSH access to a given command

Sometimes it is desired to restrict SSH access for a user only to a specific command. In case of file transfer the access to a server can be restricted to a folder using Chrooting sftp users to home directory with openSSH. But in other cases such as version-control using svn, git or bzr over SSH where the repository is not in users home directory, a different configuraiton is required.

For bazaar one can use following configuration in /etc/ssh/sshd_config:

Match User <user-name>
        X11Forwarding no
        AllowTcpForwarding no
	AllowAgentForwarding no
	PermitTunnel no
	GatewayPorts no
	Banner "Only bzr access is allowed"
        ForceCommand bzr serve --inet --directory=/var/www/vlead-ras --allow-writes

Steps for bazaar have been learned from http://thias.marmotte.net/2009/05/creating-a-restricted-bzrssh-smart-server/


For svn one can use following configuration in /etc/ssh/sshd_config

Match User <user-name>
        X11Forwarding no
        AllowTcpForwarding no
	AllowAgentForwarding no
	PermitTunnel no
	GatewayPorts no
	Banner "Only svn access is allowed"
        ForceCommand svnserve -t


For git one can use following configuration in /etc/ssh/sshd_config

Match User saurabh
        X11Forwarding no
        AllowTcpForwarding no
	AllowAgentForwarding no
	PermitTunnel no
	GatewayPorts no
	Banner "Only git access is allowed"
        ForceCommand perl -e 'exec qw(git-shell -c), $ENV{SSH_ORIGINAL_COMMAND}'

For git one can also assign "git shell" as login shell as specified in man page or at http://stackoverflow.com/questions/5871652/running-a-secure-git-server-over-ssh-without-gitosis-gitolite


git and subversion methods have been learned from http://joeyh.name/blog/entry/locking_down_ssh_authorized_keys/


Steps at http://www.sakana.fr/blog/2008/05/07/securing-automated-rsync-over-ssh/ show how to restrict access to rsync for a given directory with selected switches/options.


<yambe:breadcrumb>OpenSSH_server_configuration|OpenSSH</yambe:breadcrumb>