[Wolves] Locking own an SSH login

Adam Sweet adam at adamsweet.org
Fri Feb 27 11:28:02 UTC 2009


Hi everyone

I'm trying to create a locked down SSH login account on CentOS 4.x, but
I'm having trouble with setting the $PATH variable.

The idea is that I only want to allow the user to run commands provided
in the home directory, so we're forcing a restricting shell so it can't
run commands with a slash in them and modifying the path so they can run
commands in the home directory without having to specify ./command which
would be disallowed by the restricted shell.

The user will be coming in over SSH, so I'm doing 2 things.

1) Key based SSH login which is restricted with command="/bin/bash -r"
in .ssh/authorized_keys2, which restricts their shell so they can't run
commands with a / in them, like /bin/ls and so on. This part works well.
The user gets a restricted shell when they login over SSH.

2) I'm setting the $PATH variable in .bash_profile to specify $HOME as
the path and putting some shell scripts in the home directory. This bit
works fine when I'm already logged in and I 'su - username', but when
the user logs in over SSH, the path is different:

After su - username:

echo $PATH
/home/usermame

After key-based SSH login:

echo $PATH
/usr/kerberos/bin:/var/icritical/bin:/usr/local/bin:/bin:/usr/bin

It appears that the restricted shell cannot set the $PATH variable and
such variables are inherited from the system defaults in a restricted
shell. Can anybody point me in the right direction on how to restrict an
SSH user to specified commands?

Adam



More information about the Wolves mailing list