How to prevent users from logging in via ssh manually? The 2019 Stack Overflow Developer...
Identify boardgame from Big movie
slides for 30min~1hr skype tenure track application interview
Can you compress metal and what would be the consequences?
Looking for Correct Greek Translation for Heraclitus
Apparent duplicates between Haynes service instructions and MOT
Pokemon Turn Based battle (Python)
Can one be advised by a professor who is very far away?
Feature engineering suggestion required
A poker game description that does not feel gimmicky
What is the accessibility of a package's `Private` context variables?
Why hard-Brexiteers don't insist on a hard border to prevent illegal immigration after Brexit?
Why didn't the Event Horizon Telescope team mention Sagittarius A*?
Is this app Icon Browser Safe/Legit?
Deal with toxic manager when you can't quit
Why was M87 targetted for the Event Horizon Telescope instead of Sagittarius A*?
How technical should a Scrum Master be to effectively remove impediments?
How come people say “Would of”?
Button changing it's text & action. Good or terrible?
Why do we hear so much about the Trump administration deciding to impose and then remove tariffs?
Right tool to dig six foot holes?
Does the shape of a die affect the probability of a number being rolled?
Which Sci-Fi work first showed weapon of galactic-scale mass destruction?
Did 3000BC Egyptians use meteoric iron weapons?
If I score a critical hit on an 18 or higher, what are my chances of getting a critical hit if I roll 3d20?
How to prevent users from logging in via ssh manually?
The 2019 Stack Overflow Developer Survey Results Are InHow to remove SSH port forwardingHow does SSH tunneling work at low level?Prevent process interruption when SSH connection failsReverse SSH Tunnel from local ssh server to remote ssh client, forwarding traffic to another server on the client network?Run htop over ssh via single commandCygwin command to set user path when logging in sshCan't connect to remote server via sshHow to prevent ssh from interpreting remote command as a host?ssh: not setting $PATH when passing commands via EOL?Connect to port over working ssh tunnel from IntelliJ?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I have a script that connects to a remote server with the key. However I don't want people to log in to the server by typing the ssh command, but the script should work.
Edit : The script initiates a remote port forward. It contains the normal ssh -R command with all required parameter, and also set up a pseudo terminal with -t starting a script in the remote server also passing some variables. The script in remote server checks the variable sent via -t and decides whether to accept the port forward connection or just close the ssh connection.
linux ssh
asked yesterday
Sathvik K SSathvik K S
113
add a comment |
I have a script that connects to a remote server with the key. However I don't want people to log in to the server by typing the ssh command, but the script should work.
Edit : The script initiates a remote port forward. It contains the normal ssh -R command with all required parameter, and also set up a pseudo terminal with -t starting a script in the remote server also passing some variables. The script in remote server checks the variable sent via -t and decides whether to accept the port forward connection or just close the ssh connection.
linux ssh
asked yesterday
Sathvik K SSathvik K S
113
And what are people doing on the remote server? Shell access? Or running a specific program?
– Daniel B
yesterday
The script they run is to set up remote port forward. Thats why i dont want them to login to server and execute any sort of commands.
– Sathvik K S
yesterday
add a comment |
I have a script that connects to a remote server with the key. However I don't want people to log in to the server by typing the ssh command, but the script should work.
Edit : The script initiates a remote port forward. It contains the normal ssh -R command with all required parameter, and also set up a pseudo terminal with -t starting a script in the remote server also passing some variables. The script in remote server checks the variable sent via -t and decides whether to accept the port forward connection or just close the ssh connection.
linux ssh
asked yesterday
Sathvik K SSathvik K S
113
I have a script that connects to a remote server with the key. However I don't want people to log in to the server by typing the ssh command, but the script should work.
Edit : The script initiates a remote port forward. It contains the normal ssh -R command with all required parameter, and also set up a pseudo terminal with -t starting a script in the remote server also passing some variables. The script in remote server checks the variable sent via -t and decides whether to accept the port forward connection or just close the ssh connection.
linux ssh
linux ssh
asked yesterday
Sathvik K SSathvik K S
113
asked yesterday
Sathvik K SSathvik K S
113
edited yesterday
Sathvik K S
asked yesterday
Sathvik K SSathvik K S
113
asked yesterday
Sathvik K SSathvik K S
113
asked yesterday
Sathvik K SSathvik K S
113
113
And what are people doing on the remote server? Shell access? Or running a specific program?
– Daniel B
yesterday
The script they run is to set up remote port forward. Thats why i dont want them to login to server and execute any sort of commands.
– Sathvik K S
yesterday
add a comment |
And what are people doing on the remote server? Shell access? Or running a specific program?
– Daniel B
yesterday
The script they run is to set up remote port forward. Thats why i dont want them to login to server and execute any sort of commands.
– Sathvik K S
yesterday
And what are people doing on the remote server? Shell access? Or running a specific program?
– Daniel B
yesterday
And what are people doing on the remote server? Shell access? Or running a specific program?
– Daniel B
yesterday
The script they run is to set up remote port forward. Thats why i dont want them to login to server and execute any sort of commands.
– Sathvik K S
yesterday
The script they run is to set up remote port forward. Thats why i dont want them to login to server and execute any sort of commands.
– Sathvik K S
yesterday
add a comment |
3 Answers
3
active
oldest
votes
You can perhaps replace the script by a binary that decrypts a key on the fly. That would make it harder (but not impossible) to capture the key for other purposes.
If there is only one thing to run on the server, you can try to make that a script that is defined as their login shell.
But IMHO it is safer to write a small web server that runs the actions on the server, with the local script doing curl calls to it.
answered yesterday
xenoidxenoid
4,0223719
add a comment |
Another solution would be to restrict the amount of access that the ssh user you are using to connect has. So even if they do connect, they can't do anything. You could do this by creating a new user and setting up correct permissions for just this connection. Additionally you could set up a virutal-environment on your server for that user that is isolated from the rest of your server. If you don't set up a virtual environemnt, you would need to do a security audit on your files to make sure there aren't any 'everybody' permissions on files/directories that would be available to this user.
answered yesterday
DaveyDavey
49235
New contributor
Davey is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I did edit /etc/passwd to set the user's login shell to rbash. However, people can still type command (although it won't work) and get some errors like command not found or something like that.
– Sathvik K S
yesterday
add a comment |
If you want users to only be able to use port forwarding, you should be setting up restrictions on the server.
Like discussed here on Ubuntu Stack Exchange:
Match Group some-group
#AllowTcpForwarding yes
X11Forwarding no
PermitTunnel no
GatewayPorts no
AllowAgentForwarding no
PermitOpen localhost:62222
ForceCommand echo 'This account can only be used for port forwarding'
Users in the UNIX group some-group will then not be able to do anything but using port forwarding to localhost:62222. ssh must be invoked with -N (“Do not execute a remote command.”) because otherwise ForceCommand will take effect and kill the connection.
If you want remote port forwarding, you need to use PermitListen instead of PermitOpen and an appropriate GatewayPorts option.
answered 17 hours ago
Daniel BDaniel B
34.6k76587
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1423238%2fhow-to-prevent-users-from-logging-in-via-ssh-manually%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
You can perhaps replace the script by a binary that decrypts a key on the fly. That would make it harder (but not impossible) to capture the key for other purposes.
If there is only one thing to run on the server, you can try to make that a script that is defined as their login shell.
But IMHO it is safer to write a small web server that runs the actions on the server, with the local script doing curl calls to it.
answered yesterday
xenoidxenoid
4,0223719
add a comment |
You can perhaps replace the script by a binary that decrypts a key on the fly. That would make it harder (but not impossible) to capture the key for other purposes.
If there is only one thing to run on the server, you can try to make that a script that is defined as their login shell.
But IMHO it is safer to write a small web server that runs the actions on the server, with the local script doing curl calls to it.
answered yesterday
xenoidxenoid
4,0223719
add a comment |
You can perhaps replace the script by a binary that decrypts a key on the fly. That would make it harder (but not impossible) to capture the key for other purposes.
If there is only one thing to run on the server, you can try to make that a script that is defined as their login shell.
But IMHO it is safer to write a small web server that runs the actions on the server, with the local script doing curl calls to it.
answered yesterday
xenoidxenoid
4,0223719
You can perhaps replace the script by a binary that decrypts a key on the fly. That would make it harder (but not impossible) to capture the key for other purposes.
If there is only one thing to run on the server, you can try to make that a script that is defined as their login shell.
But IMHO it is safer to write a small web server that runs the actions on the server, with the local script doing curl calls to it.
answered yesterday
xenoidxenoid
4,0223719
answered yesterday
xenoidxenoid
4,0223719
answered yesterday
xenoidxenoid
4,0223719
answered yesterday
xenoidxenoid
4,0223719
4,0223719
add a comment |
add a comment |
Another solution would be to restrict the amount of access that the ssh user you are using to connect has. So even if they do connect, they can't do anything. You could do this by creating a new user and setting up correct permissions for just this connection. Additionally you could set up a virutal-environment on your server for that user that is isolated from the rest of your server. If you don't set up a virtual environemnt, you would need to do a security audit on your files to make sure there aren't any 'everybody' permissions on files/directories that would be available to this user.
answered yesterday
DaveyDavey
49235
New contributor
Davey is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I did edit /etc/passwd to set the user's login shell to rbash. However, people can still type command (although it won't work) and get some errors like command not found or something like that.
– Sathvik K S
yesterday
add a comment |
Another solution would be to restrict the amount of access that the ssh user you are using to connect has. So even if they do connect, they can't do anything. You could do this by creating a new user and setting up correct permissions for just this connection. Additionally you could set up a virutal-environment on your server for that user that is isolated from the rest of your server. If you don't set up a virtual environemnt, you would need to do a security audit on your files to make sure there aren't any 'everybody' permissions on files/directories that would be available to this user.
answered yesterday
DaveyDavey
49235
New contributor
Davey is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I did edit /etc/passwd to set the user's login shell to rbash. However, people can still type command (although it won't work) and get some errors like command not found or something like that.
– Sathvik K S
yesterday
add a comment |
Another solution would be to restrict the amount of access that the ssh user you are using to connect has. So even if they do connect, they can't do anything. You could do this by creating a new user and setting up correct permissions for just this connection. Additionally you could set up a virutal-environment on your server for that user that is isolated from the rest of your server. If you don't set up a virtual environemnt, you would need to do a security audit on your files to make sure there aren't any 'everybody' permissions on files/directories that would be available to this user.
answered yesterday
DaveyDavey
49235
New contributor
Davey is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Another solution would be to restrict the amount of access that the ssh user you are using to connect has. So even if they do connect, they can't do anything. You could do this by creating a new user and setting up correct permissions for just this connection. Additionally you could set up a virutal-environment on your server for that user that is isolated from the rest of your server. If you don't set up a virtual environemnt, you would need to do a security audit on your files to make sure there aren't any 'everybody' permissions on files/directories that would be available to this user.
answered yesterday
DaveyDavey
49235
New contributor
Davey is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
DaveyDavey
49235
New contributor
Davey is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
DaveyDavey
49235
answered yesterday
DaveyDavey
49235
49235
New contributor
Davey is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Davey is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Davey is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I did edit /etc/passwd to set the user's login shell to rbash. However, people can still type command (although it won't work) and get some errors like command not found or something like that.
– Sathvik K S
yesterday
add a comment |
I did edit /etc/passwd to set the user's login shell to rbash. However, people can still type command (although it won't work) and get some errors like command not found or something like that.
– Sathvik K S
yesterday
I did edit /etc/passwd to set the user's login shell to rbash. However, people can still type command (although it won't work) and get some errors like command not found or something like that.
– Sathvik K S
yesterday
I did edit /etc/passwd to set the user's login shell to rbash. However, people can still type command (although it won't work) and get some errors like command not found or something like that.
– Sathvik K S
yesterday
add a comment |
If you want users to only be able to use port forwarding, you should be setting up restrictions on the server.
Like discussed here on Ubuntu Stack Exchange:
Match Group some-group
#AllowTcpForwarding yes
X11Forwarding no
PermitTunnel no
GatewayPorts no
AllowAgentForwarding no
PermitOpen localhost:62222
ForceCommand echo 'This account can only be used for port forwarding'
Users in the UNIX group some-group will then not be able to do anything but using port forwarding to localhost:62222. ssh must be invoked with -N (“Do not execute a remote command.”) because otherwise ForceCommand will take effect and kill the connection.
If you want remote port forwarding, you need to use PermitListen instead of PermitOpen and an appropriate GatewayPorts option.
answered 17 hours ago
Daniel BDaniel B
34.6k76587
add a comment |
If you want users to only be able to use port forwarding, you should be setting up restrictions on the server.
Like discussed here on Ubuntu Stack Exchange:
Match Group some-group
#AllowTcpForwarding yes
X11Forwarding no
PermitTunnel no
GatewayPorts no
AllowAgentForwarding no
PermitOpen localhost:62222
ForceCommand echo 'This account can only be used for port forwarding'
Users in the UNIX group some-group will then not be able to do anything but using port forwarding to localhost:62222. ssh must be invoked with -N (“Do not execute a remote command.”) because otherwise ForceCommand will take effect and kill the connection.
If you want remote port forwarding, you need to use PermitListen instead of PermitOpen and an appropriate GatewayPorts option.
answered 17 hours ago
Daniel BDaniel B
34.6k76587
add a comment |
If you want users to only be able to use port forwarding, you should be setting up restrictions on the server.
Like discussed here on Ubuntu Stack Exchange:
Match Group some-group
#AllowTcpForwarding yes
X11Forwarding no
PermitTunnel no
GatewayPorts no
AllowAgentForwarding no
PermitOpen localhost:62222
ForceCommand echo 'This account can only be used for port forwarding'
Users in the UNIX group some-group will then not be able to do anything but using port forwarding to localhost:62222. ssh must be invoked with -N (“Do not execute a remote command.”) because otherwise ForceCommand will take effect and kill the connection.
If you want remote port forwarding, you need to use PermitListen instead of PermitOpen and an appropriate GatewayPorts option.
answered 17 hours ago
Daniel BDaniel B
34.6k76587
If you want users to only be able to use port forwarding, you should be setting up restrictions on the server.
Like discussed here on Ubuntu Stack Exchange:
Match Group some-group
#AllowTcpForwarding yes
X11Forwarding no
PermitTunnel no
GatewayPorts no
AllowAgentForwarding no
PermitOpen localhost:62222
ForceCommand echo 'This account can only be used for port forwarding'
Users in the UNIX group some-group will then not be able to do anything but using port forwarding to localhost:62222. ssh must be invoked with -N (“Do not execute a remote command.”) because otherwise ForceCommand will take effect and kill the connection.
If you want remote port forwarding, you need to use PermitListen instead of PermitOpen and an appropriate GatewayPorts option.
answered 17 hours ago
Daniel BDaniel B
34.6k76587
answered 17 hours ago
Daniel BDaniel B
34.6k76587
answered 17 hours ago
Daniel BDaniel B
34.6k76587
answered 17 hours ago
Daniel BDaniel B
34.6k76587
34.6k76587
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1423238%2fhow-to-prevent-users-from-logging-in-via-ssh-manually%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
And what are people doing on the remote server? Shell access? Or running a specific program?
– Daniel B
yesterday
The script they run is to set up remote port forward. Thats why i dont want them to login to server and execute any sort of commands.
– Sathvik K S
yesterday