Stop any commands via ssh

btaylor1988 · 08-28-2008, 05:44 AM

Hi,

I am looking for a way to let someone log onto my server via SSH externally, but then block them from issuing any commands if possible. so they can just tunnel ports but not be able to issue a command.

if possible is there like a scirpt i can use so if they type anything it echo's a message saying sorry no commands allowed etc. but does not drop them from the connection.

thanks.

MarkByers · 08-28-2008, 07:04 AM

You might want to take a look at rbash. It does something quite similar to what you want.

Alternatively you could try writing a small shell. Maybe something like this:

echo '#include <stdio.h>
> int main() {
> while (1) if (getchar() == 10) printf("Sorry, no commands allowed.\n");
> }' > badshell.c

gcc -o badshell badshell.c

sudo mv badshell /bin/badshell

Then set your users' shell to /bin/badshell in the passwd file.

Warning: Use at your own risk. I'm not 100% sure that it is completely impossible to run commands.

colucix · 08-28-2008, 07:07 AM

Or simply use /bin/false in place of the login shell.

btaylor1988 · 08-28-2008, 01:25 PM

tried both options, but all it seems to do is end the session and close the ssh window(putty). so i cant open ports or type commands.

beadyallen · 08-28-2008, 07:03 PM

You can use the options in the authorized_keys file to do this. Have a look at the sshd man page.
Basically, you can add options to the public key for a particular user to block tty, execute an aribitrary command etc. I just tested it with the options set as no-pty,"sleep 3600" and it works fine. The connecting user can still forward ports, but can't do anything else. Obviously, set the command to what you need.

Hope this helps

edit: Don't use the 'no-pty' option, or you can't kill the connection until the sleep time is up (or whatever command you use completes). Of course, that may be what you want.

btaylor1988 · 08-29-2008, 04:08 AM

Quote:

Originally Posted by beadyallen

You can use the options in the authorized_keys file to do this. Have a look at the sshd man page.
Basically, you can add options to the public key for a particular user to block tty, execute an aribitrary command etc. I just tested it with the options set as no-pty,"sleep 3600" and it works fine. The connecting user can still forward ports, but can't do anything else. Obviously, set the command to what you need.

Hope this helps

edit: Don't use the 'no-pty' option, or you can't kill the connection until the sleep time is up (or whatever command you use completes). Of course, that may be what you want.

thanks for this it seems a good idear, though im having a bit of trouble.

ive created a authorized_keys file using the command:
ssh-keygen -t rsa
this gave me the file "id_rsa.pub" so i copyed it into the autherized_keys file and added the option no-pty at the top so it show up like this:

no-pty
ssh-rsa randomlettersrandomletters

i also enabled it in the config sshd_config:

LoginGraceTime 2m
PermitRootLogin yes
StrictModes yes
MaxAuthTries 6

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

mabye ive missed somthing or gone about this the wrong way, any pointers would be great thanks.

beadyallen · 08-29-2008, 04:58 AM

The options and key should be on the same line, so the test 'authorized_keys' I generated looked like:

Code:

no-pty,command="sleep 3600" ssh-dss AAAAB3NzaC1kc3M..... TestKey

Put that into the ~/.ssh/ directory of the logging on user, then ssh from another machine using:

Code:

ssh -i id_dsa username@machine -L <portforwarding stuff>

I used DSA keys (ssh-keygen -t dsa), but rsa will work the same.

Note: make sure you set the correct permissions on the authorized_keys and .ssh directory. The .ssh directory should be 700, and authorized_keys should be 600. Make sure you set the owner of the files to be the logging on user.

If you still have problems, post the verbose output from a login attempt (ssh -v ....). Also check the server log, on redhat/fedora, it'll be in /var/log/secure.

Good luck

btaylor1988 · 08-29-2008, 05:52 AM

ok ive set up the 'authorized_keys' all so its on one line, still does not seem to work when connecting via putty. also its has the correct user permissions and its in the users .ssh folder.

output of /var/log/secure:

Aug 29 11:41:51 amtcentral sshd[7465]: Accepted password for USER from192.168.26.10 port 2964 ssh2
Aug 29 11:41:51 amtcentral sshd[7465]: pam_unix(sshd:session): session opened for user USER by (uid=0)

thats all i seem to get from the log. makes me think my sshd config is not correct, ill post that just to make sure.:

sshd_config:

Protocol 2
SyslogFacility AUTHPRIV
LoginGraceTime 2m
PermitRootLogin yes
StrictModes yes
MaxAuthTries 6
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes
Subsystem sftp /usr/libexec/openssh/sftp-server

thats all the uncommeted lines from the sshd_config. also as a note im running Centos 5.1(RedHat based).

beadyallen · 08-29-2008, 06:20 AM

Have you got putty set up to use the private key? You shouldn't have to be entering a password, the private/public keys should be taking care of authentication. Any chance you can run from an ssh command line? Log into the server yourself, get a copy of the private key you generated (id_rsa) and type:

Code:

ssh -v -i ./id_rsa username@localhost

That should give some more info (username is the target user).