限制一组用户的 SSH 命令

Question 1

您需要使用您选择的脚本语言创建一个受限的命令 shell，然后设置 sshd 来强制您指定的组使用此受限 shell。

示例 8-1 及其以下部分O'Reilly 的 SSH，安全外壳第 8 章展示实现前者的方法。

对于后者，请参阅Match中的指令描述sshd_config(5)。

例如，您可以将以下内容添加到/etc/ssh/sshd_config：

Match Group X
ForceCommand /path/to/your/restricted_shell

Answer

您需要使用您选择的脚本语言创建一个受限的命令 shell，然后设置 sshd 来强制您指定的组使用此受限 shell。

示例 8-1 及其以下部分O'Reilly 的 SSH，安全外壳第 8 章展示实现前者的方法。

对于后者，请参阅Match中的指令描述sshd_config(5)。

例如，您可以将以下内容添加到/etc/ssh/sshd_config：

Match Group X
ForceCommand /path/to/your/restricted_shell

Question 2

我认为正确的做法是结合chroot（受控/受限环境）远程控制

你可能想看看这个指南 http://www.techrepublic.com/blog/opensource/chroot-users-with-openssh-an-easier-way-to-confine-users-to-their-home-directories/229

Answer

我认为正确的做法是结合chroot（受控/受限环境）远程控制

你可能想看看这个指南 http://www.techrepublic.com/blog/opensource/chroot-users-with-openssh-an-easier-way-to-confine-users-to-their-home-directories/229

Question 3

不确定它是否适合您的环境，我在我的环境中使用它。想法是使用受限的 bash，清理 $PATH，保护 $PATH 并将 $PATH 设置为 $HOME/bin，然后您只需将您允许用户运行的所有二进制文件符号链接到 $HOME/bin。

 -------------------------------------------
#!/bin/bash

USERS="user"

PASS=secret
ALLOWED_CMDS="/bin/ping
/usr/bin/killall
/bin/ps
"

# creating restricted bash
ln -s /bin/bash /bin/rbash

for user in ${USERS}; do
        home=/home/${user}
        echo useradd --comment \"CDM user with restricted shell\" --home-dir ${home} --shell /bin/rbash ${user}
        useradd --comment "CDM user with restricted shell" --home-dir ${home} --shell /bin/rbash ${user}
        echo "set password for ${user}"
        echo ${PASS} | passwd ${user} --stdin
        if [ -d ${home} ]; then
                # deleting unneeded files
                files=".bashrc .bash_history .bash_logout .bash_profile  .emacs  .mozilla"
                for file in ${files}; do
                     rm -rfv ${home}/${file}
                done

               # creating bin dir and profile
                echo "export PATH=\$HOME/bin"> /home/$user/.profile
                echo "export PS1=\"[\u@\h \W]$ \"">> /home/$user/.profile

                mkdir ${home}/bin
                chmod -R 755 ${home}
                chown -R root:root ${home}
                chmod 750 ${home}/.profile
                chown root:${user} ${home}/.profile

                chmod 2070 /home/$user
                chown root:$user /home/$user

                # allowed specific commands only
                echo "creating symlinks for allowed commands.."
                for cmd in ${ALLOWED_CMDS}; do
                    ln -sv ${cmd} ${home}/bin/
                done
        fi
done
 -------------------------------------------

 [root@puppet tmp]# sh create_user.sh
 [root@puppet tmp]# su -l user
 [user@puppet ~]$ ping
 Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
 [user@puppet ~]$ ls
 -rbash: ls: command not found
 [user@puppet ~]$ cd
 -rbash: cd: restricted
 [user@puppet ~]$ pwd
 /home/user
 [user@puppet ~]$ ps
 PID TTY          TIME CMD
 9605 pts/1    00:00:00 rbash
 9629 pts/1    00:00:00 ps
 [user@puppet ~]$ killall
 Usage: killall [-Z CONTEXT] [-u USER] [ -eIgiqrvw ] [ -SIGNAL ] NAME...
 [user@puppet ~]$ nc
 -rbash: nc: command not found
 [user@puppet ~]$ nmap
 -rbash: nmap: command not found

Answer

不确定它是否适合您的环境，我在我的环境中使用它。想法是使用受限的 bash，清理 $PATH，保护 $PATH 并将 $PATH 设置为 $HOME/bin，然后您只需将您允许用户运行的所有二进制文件符号链接到 $HOME/bin。

 -------------------------------------------
#!/bin/bash

USERS="user"

PASS=secret
ALLOWED_CMDS="/bin/ping
/usr/bin/killall
/bin/ps
"

# creating restricted bash
ln -s /bin/bash /bin/rbash

for user in ${USERS}; do
        home=/home/${user}
        echo useradd --comment \"CDM user with restricted shell\" --home-dir ${home} --shell /bin/rbash ${user}
        useradd --comment "CDM user with restricted shell" --home-dir ${home} --shell /bin/rbash ${user}
        echo "set password for ${user}"
        echo ${PASS} | passwd ${user} --stdin
        if [ -d ${home} ]; then
                # deleting unneeded files
                files=".bashrc .bash_history .bash_logout .bash_profile  .emacs  .mozilla"
                for file in ${files}; do
                     rm -rfv ${home}/${file}
                done

               # creating bin dir and profile
                echo "export PATH=\$HOME/bin"> /home/$user/.profile
                echo "export PS1=\"[\u@\h \W]$ \"">> /home/$user/.profile

                mkdir ${home}/bin
                chmod -R 755 ${home}
                chown -R root:root ${home}
                chmod 750 ${home}/.profile
                chown root:${user} ${home}/.profile

                chmod 2070 /home/$user
                chown root:$user /home/$user

                # allowed specific commands only
                echo "creating symlinks for allowed commands.."
                for cmd in ${ALLOWED_CMDS}; do
                    ln -sv ${cmd} ${home}/bin/
                done
        fi
done
 -------------------------------------------

 [root@puppet tmp]# sh create_user.sh
 [root@puppet tmp]# su -l user
 [user@puppet ~]$ ping
 Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
 [user@puppet ~]$ ls
 -rbash: ls: command not found
 [user@puppet ~]$ cd
 -rbash: cd: restricted
 [user@puppet ~]$ pwd
 /home/user
 [user@puppet ~]$ ps
 PID TTY          TIME CMD
 9605 pts/1    00:00:00 rbash
 9629 pts/1    00:00:00 ps
 [user@puppet ~]$ killall
 Usage: killall [-Z CONTEXT] [-u USER] [ -eIgiqrvw ] [ -SIGNAL ] NAME...
 [user@puppet ~]$ nc
 -rbash: nc: command not found
 [user@puppet ~]$ nmap
 -rbash: nmap: command not found

限制一组用户的 SSH 命令

答案1

答案2

答案3

相关内容