forced-commands-only option for any user, not just root
Hi,
Our environment:
AIX v5.2 and v5.3
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x009060bf
We have a set of usernames on the hosts that we want to NOT have
interactive access. These are accounts that are not unique to an
individual person, we refer to them as group accounts. Our auditors
require that interactive access be restricted to the inidividual
accounts only and that su to the group account is fine since it
provides an audit trail. These group accounts are used to run some
scripts and a trust relationship between a number of unix boxes is
allowed, meaning the group account is allowed to do 'ssh remote-host
command'.
Looks like an option for root (PermitRootLogin set to
forced-commands-only) is the functionality we need but for these
non-root accounts.
Anyone know if there is something in sshd_config to get the same
functionality? Or has anyone faced a similar set of requirements and
how did you address it?
Greg
Re: forced-commands-only option for any user, not just root
[email]gbeckowski@gmail.com[/email] wrote:[color=blue]
> Hi,
>
> Our environment:
> AIX v5.2 and v5.3
> OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x009060bf
>
> We have a set of usernames on the hosts that we want to NOT have
> interactive access. These are accounts that are not unique to an
> individual person, we refer to them as group accounts. Our auditors
> require that interactive access be restricted to the inidividual
> accounts only and that su to the group account is fine since it
> provides an audit trail. These group accounts are used to run some
> scripts and a trust relationship between a number of unix boxes is
> allowed, meaning the group account is allowed to do 'ssh remote-host
> command'.[/color]
Looks more like a sudo opportunity: give them a user login, or limited
login, and force them use sudo to run those special commands.
Re: forced-commands-only option for any user, not just root
On 2006-06-22 14:36:49 +0200, [email]gbeckowski@gmail.com[/email] said:
[color=blue]
> Hi,
>
> Our environment:
> AIX v5.2 and v5.3
> OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x009060bf
>
> We have a set of usernames on the hosts that we want to NOT have
> interactive access. These are accounts that are not unique to an
> individual person, we refer to them as group accounts. Our auditors
> require that interactive access be restricted to the inidividual
> accounts only and that su to the group account is fine since it
> provides an audit trail. These group accounts are used to run some
> scripts and a trust relationship between a number of unix boxes is
> allowed, meaning the group account is allowed to do 'ssh remote-host
> command'.
>
> Looks like an option for root (PermitRootLogin set to
> forced-commands-only) is the functionality we need but for these
> non-root accounts.
>
> Anyone know if there is something in sshd_config to get the same
> functionality? Or has anyone faced a similar set of requirements and
> how did you address it?[/color]
In sshd no, but you can use something a la restricted shell.
--
Sensei <senseiwa@mac.com>
The optimist thinks this is the best of all possible worlds.
The pessimist fears it is true. [J. Robert Oppenheimer]
