forced-commands-only option for any user, not just root - SSH

This is a discussion on forced-commands-only option for any user, not just root - SSH ; Hi, Our environment: AIX v5.2 and v5.3 OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x009060bf We have a set of usernames on the hosts that we want to NOT have interactive access. These are accounts that are not unique to an individual ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: forced-commands-only option for any user, not just root

  1. forced-commands-only option for any user, not just root

    Hi,

    Our environment:
    AIX v5.2 and v5.3
    OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x009060bf

    We have a set of usernames on the hosts that we want to NOT have
    interactive access. These are accounts that are not unique to an
    individual person, we refer to them as group accounts. Our auditors
    require that interactive access be restricted to the inidividual
    accounts only and that su to the group account is fine since it
    provides an audit trail. These group accounts are used to run some
    scripts and a trust relationship between a number of unix boxes is
    allowed, meaning the group account is allowed to do 'ssh remote-host
    command'.

    Looks like an option for root (PermitRootLogin set to
    forced-commands-only) is the functionality we need but for these
    non-root accounts.

    Anyone know if there is something in sshd_config to get the same
    functionality? Or has anyone faced a similar set of requirements and
    how did you address it?

    Greg


  2. Re: forced-commands-only option for any user, not just root

    gbeckowski@gmail.com wrote:
    > Hi,
    >
    > Our environment:
    > AIX v5.2 and v5.3
    > OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x009060bf
    >
    > We have a set of usernames on the hosts that we want to NOT have
    > interactive access. These are accounts that are not unique to an
    > individual person, we refer to them as group accounts. Our auditors
    > require that interactive access be restricted to the inidividual
    > accounts only and that su to the group account is fine since it
    > provides an audit trail. These group accounts are used to run some
    > scripts and a trust relationship between a number of unix boxes is
    > allowed, meaning the group account is allowed to do 'ssh remote-host
    > command'.


    Looks more like a sudo opportunity: give them a user login, or limited
    login, and force them use sudo to run those special commands.



  3. Re: forced-commands-only option for any user, not just root

    On 2006-06-22 14:36:49 +0200, gbeckowski@gmail.com said:

    > Hi,
    >
    > Our environment:
    > AIX v5.2 and v5.3
    > OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x009060bf
    >
    > We have a set of usernames on the hosts that we want to NOT have
    > interactive access. These are accounts that are not unique to an
    > individual person, we refer to them as group accounts. Our auditors
    > require that interactive access be restricted to the inidividual
    > accounts only and that su to the group account is fine since it
    > provides an audit trail. These group accounts are used to run some
    > scripts and a trust relationship between a number of unix boxes is
    > allowed, meaning the group account is allowed to do 'ssh remote-host
    > command'.
    >
    > Looks like an option for root (PermitRootLogin set to
    > forced-commands-only) is the functionality we need but for these
    > non-root accounts.
    >
    > Anyone know if there is something in sshd_config to get the same
    > functionality? Or has anyone faced a similar set of requirements and
    > how did you address it?


    In sshd no, but you can use something a la restricted shell.

    --
    Sensei

    The optimist thinks this is the best of all possible worlds.
    The pessimist fears it is true. [J. Robert Oppenheimer]


+ Reply to Thread