On Fri, Dec 27, 2019 at 3:06 AM Giovanni Mascellani <[email protected]> wrote:
> Hi,
>
> Il 27/12/19 09:51, Carl Karsten ha scritto:
> > I like it because it is an easier file to edit. sound good?
>
> I believe you still have to edit authorized_keys to put the "restrict"
> option, otherwise a number of other authorizations are retained (see the
> man page), and I believe you don't want.
restrict,command="/bin/false" ssh-rsa AAAAB3Nza...
> Also, using ForceCommand will
> apply to all users, while I believe you still want to access that box
> with another user for administration.
>
>
It is just for the one user:
Match User {user} MaxSessions 60 PasswordAuthentication no
ChrootDirectory %h X11Forwarding no AllowTcpForwarding yes
PermitTunnel no PermitTTY no Banner none ForceCommand
/bin/false
1. make the user's home dir owned by root: chown root: /home/user
2. add to the front of ~/.ssh/authorized_keys: restrict,command="/bin/false"
ssh-rsa AAAAB3Nza...
https://salsa.debian.org/debconf-video-team/ansible/blob/0815be8485ead04766e20bae975160d7b936acdf/roles/sidedoor/README.md#securing-the-server-restrict-what-that-account-can-do
I think scp / sftp is still available (it is built into Openssh) so I was
hoping to restrict it to an 'empty' dir
ChrootDirectory %h
without this:
root@cnt1:/etc/sidedoor# scp -P 14322 config [email protected]:
lost connection
enable ChrootDirectory %h
root@cnt1:/etc/sidedoor# scp -P 14322 config [email protected]:
/bin/sh: No such file or directory
lost connection
I'm wondering what/where this is set: /bin/sh:
I am guessing the error is because /home/runr/bin/sh doesn't exist, but
this seems like a sloppy way to be secure.
> Giovanni.
> --
> Giovanni Mascellani <[email protected]>
> Postdoc researcher - Université Libre de Bruxelles
>
>
--
Carl K
