[Wolves] Locking own an SSH login

chris procter chris-procter at talk21.com
Sat Feb 28 00:13:11 UTC 2009

> Hi everyone

> I'm trying to create a locked down SSH login account on CentOS 4.x, but
> I'm having trouble with setting the $PATH variable.
> The idea is that I only want to allow the user to run commands provided
> in the home directory, so we're forcing a restricting shell so it can't
> run commands with a slash in them and modifying the path so they can run
> commands in the home directory without having to specify ./command which
> would be disallowed by the restricted shell.
> The user will be coming in over SSH, so I'm doing 2 things.
> 1) Key based SSH login which is restricted with command="/bin/bash -r"
> in .ssh/authorized_keys2, which restricts their shell so they can't run
> commands with a / in them, like /bin/ls and so on. This part works well.
> The user gets a restricted shell when they login over SSH.
> 2) I'm setting the $PATH variable in .bash_profile to specify $HOME as
> the path and putting some shell scripts in the home directory. This bit
> works fine when I'm already logged in and I 'su - username', but when
> the user logs in over SSH, the path is different:
> After su - username:
> echo $PATH
> /home/usermame
> After key-based SSH login:
> echo $PATH
> /usr/kerberos/bin:/var/icritical/bin:/usr/local/bin:/bin:/usr/bin
> It appears that the restricted shell cannot set the $PATH variable and
> such variables are inherited from the system defaults in a restricted
> shell. Can anybody point me in the right direction on how to restrict an
> SSH user to specified commands?
> Adam

I'll admit that I'm drunk and therefore no doubt missing the point but are you not attempting to chroot the user to their home directory? and if so are you not as well off with the ChrootDirectory directive in the sshd_config file.



More information about the Wolves mailing list