Tuesday, January 18, 2011

Restricting SSH shell access to Debian server

Hello.

Still new to the whole Debian thing so bear with me.

The only thing I want a user logged in via SSH. No files or directories (like /etc, /var) should be visible at that point.

The only thing the user can do is to "su" to login into root and then administer the sytem.

This is done to increase security. Every little bit helps right?

Apparently chroot is not that secure (Saw an answer in here the said that. Can't seem to find the link tho).

From serverfault Cudos

  • You can use ForceCommand to avoid giving any shell access to the user.

     ForceCommand
         Forces the execution of the command specified by ForceCommand,
         ignoring any command supplied by the client and ~/.ssh/rc if pre-
         sent.  The command is invoked by using the user's login shell
         with the -c option.  This applies to shell, command, or subsystem
         execution.  It is most useful inside a Match block.  The command
         originally supplied by the client is available in the
         SSH_ORIGINAL_COMMAND environment variable.  Specifying a command
         of ``internal-sftp'' will force the use of an in-process sftp
         server that requires no support files when used with
         ChrootDirectory.
    From Gleb

  • The only thing the user can do is to "su" to login into root and then administer the sytem.

    This is done to increase security. Every little bit helps right?

    wrong.

    if you want root to be able to login, you should just allow root to be able to login.

    logging in as a user and then doing su to become root is a very complex and less secure way of doing that:

    • in general anything may fail, so more steps you ask the user to make, more chances are that one step goes wrong (with "wrong" I mean you did not do something right and someone hacks your server)
    • you would be forcing to enter root password, while it could be considered much more secure to use ssh keys to login without having to enter any password. Or to use ssh keys AND having to enter their pass-phrase, for added security

    if you don't really know what you want, you'd better keep it simple and use standard programs written by people who do know what they are doing. It's clear you are not a security expert, hence consider that anything you may came up with has already been done by someone that is an expert, or has been discarded as worthless, or never occurred to them since it just does not make sense.

    you probably want to know how to use ssh-keygen and how to configure sshd_config.

    From Lo'oris

  • If you're really looking to limit access, then I'd suggest using sudo and enable only the commands necessary for this user to administer the applications you choose.

    From Eddy
Posted by Mu Cat at 5:56 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)