Restricted ssh access

Sometimes we need to use ssh secured connections to perform only a few system activities and not to actually open a command shell to the remote host.

When performing secure critical tasks, or accessing highly secured machines, accessing a full remote shell can be equal to open a breach.

E.g., backup tasks are usually performed by a specific system user, granting access using ssh; allowing a restricted set of commands for the backup user introduce some additional security, avoiding system-wide access.

Adding some configuration to ~user/.ssh/authorized_keys on the remote host can be a quick solution:

from="accessing_host.example.com",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="echo 'I can only print this useless message...damn'" ssh-rsa AAA...
...
...Pw== user@accessing_host.example.com

Where:

  • from option enables accessing from the specified host only
  • no-port-forwarding,no-X11-forwarding,no-agent-forwarding disable forwarding  capabilities from remote host
  • command option defines which command the connecting user can issue to the remote host. ALL other commands are ignored

command option can also include a script containing different shell commands to accomplish complex tasks.

Lascia un commento