restricted-ssh-commands(1)
ssh-commands - Restrict SSH users to a predefined set of commands
Description
RESTRICTED-SSH-COMMANDS
NAME
restricted-ssh-commands - Restrict SSH users to a predefined set of commands
SYNOPSIS
/usr/lib/restricted-ssh-commands [config]
DESCRIPTION
restricted-ssh-commands is intended to be called by SSH to restrict a user to only run specific commands. A list of allowed regular expressions can be configured in /etc/restricted-ssh-commands/. The requested command has to match at least one regular expression. Otherwise it will be rejected.
restricted-ssh-commands is useful to grant restricted access via SSH to do only certain task. For example, it could allow a user to upload a Debian packages via scp and run reprepro processincoming.
The optional config parameter is the name of the configuration inside /etc/restricted-ssh-commands/ that should be used. If config is omitted, the user name will be used.
USAGE
Create a configuration file in /etc/restricted-ssh-commands/$config and add following line to ˜/.ssh/authorized_keys to use it
command="/usr/lib/restricted-ssh-commands",no-port-forwarding,\
no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa
[...]
To enable debug output, set the RSC_VERBOSE environment variable to a nonzero value, e.g. by adding it to authorized_keys:
command="RSC_VERBOSE=1 /usr/lib/restricted-ssh-commands"
EXIT STATUS
restricted-ssh-commands will exit with the exit status from the called command if the command is allowed and therefore executed. If the command is rejected, restricted-ssh-commands will exit with one of the following exit codes.
|
124 |
A configuration file was found and contains at least one regular expression, but the requested command does not match any of those regular expressions. | ||
|
125 |
The configuration file is missing or does not contain any regular expressions. Thus all commands are rejected. |
EXAMPLES
Imagine you have a Debian package repository on a host using reprepro and you want to allow package upload to it. Assuming the user is reprepro and the package configuration is stored in /srv/reprepro, you would create the configuration file /etc/restricted-ssh-commands/reprepro containing these three regular expressions:
ˆscp -p( -d)?
-t( --)?
/srv/reprepro/incoming(/[-a-z0-9+˜_.]*[-a-z0-9+˜_])?$
ˆchmod 0644(
/srv/reprepro/incoming/[-a-z0-9+˜_.]*[-a-z0-9+˜_])+$
ˆreprepro ( -V)? -b /srv/reprepro processincoming
foobar$
SECURITY NOTES
It is dangerous and not recommended to use negative bracket expressions (like [ˆ /]). Characters like CR LF $ & ; ( ) and so on can be abused to execute arbitrary commands. For example, the rule
ˆecho [ˆ /]$
can be abused to execute these commands
echo
foo&echo owned
echo foo&rm -rf $(printf "\x2f")
where a TAB is used instead of spaces after the first ampersand. Therefore only use positive bracked expressions (like [a-z]).
FILES
The configuration files are placed in /etc/restricted-ssh-commands/. Each line in the configuration file represents one POSIX extended regular expression ( ERE ). Lines starting with # are considered as comments and are ignored. Empty lines (containing only whitespaces) are ignored, too.
SEE ALSO
Regular expressions on http://tldp.org/LDP/Bash-Beginners-Guide/html/sect_04_01.html
Section 9.4 Extended Regular Expressions ( ERE ) on http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html
AUTHOR
restricted-ssh-commands and this manpage have been written by Benjamin Drung <benjamin.drung@profitbricks.com>.