On Fri, Dec 27, 2019 at 3:06 AM Giovanni Mascellani <
gio@debian.org> wrote:
Hi,
Il 27/12/19 09:51, Carl Karsten ha scritto:
> I like it because it is an easier file to edit. sound good?
I believe you still have to edit authorized_keys to put the "restrict"
option, otherwise a number of other authorizations are retained (see the
man page), and I believe you don't want.
restrict,command="/bin/false" ssh-rsa AAAAB3Nza...
Also, using ForceCommand will
apply to all users, while I believe you still want to access that box
with another user for administration.
It is just for the one user:
Match User {user}
MaxSessions 60
PasswordAuthentication no
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding yes
PermitTunnel no
PermitTTY no
Banner none
ForceCommand /bin/false
- make the user's home dir owned by root:
chown root: /home/user
- add to the front of ~/.ssh/authorized_keys:
restrict,command="/bin/false" ssh-rsa AAAAB3Nza...
I think scp / sftp is still available (it is built into Openssh) so I was hoping to restrict it to an 'empty' dir
ChrootDirectory %h
without this:
enable ChrootDirectory %h
root@cnt1:/etc/sidedoor# scp -P 14322 config
runr@sd1.sytes.net:
/bin/sh: No such file or directory
lost connection
I'm wondering what/where this is set: /bin/sh:
I am guessing the error is because /home/runr/bin/sh doesn't exist, but this seems like a sloppy way to be secure.
Giovanni.
--
Giovanni Mascellani <g.mascellani@gmail.com>
Postdoc researcher - Université Libre de Bruxelles