[kwlug-disc] Setting shell to a script
Tim Laurence
timdaman at gmail.com
Wed Sep 4 22:18:28 EDT 2019
By editing you authorized_keys file you can also force ssh to execute a
specific command on login. This will mean whenever a certain key is used it
will automatically launch a specified command such as the remote end of a
rsync client.
https://manpages.debian.org/buster/openssh-server/authorized_keys.5.en.html
Look for the 'command=' on the man page above to find the option that does
this.
--Tim
On Wed, Sep 4, 2019 at 5:55 PM Jason Eckert <jason.eckert at gmail.com> wrote:
> Have you tried using /sbin/nologin instead of /bin/false?
>
> On Wed, Sep 4, 2019 at 5:37 PM Paul Nijjar via kwlug-disc <
> kwlug-disc at kwlug.org> wrote:
>
>> My websearching skills are failing me on this, so I will ask you smart
>> people.
>>
>> I have an account that is kind of a service account (humans will not
>> log into that account) but will be used for rsync via ssh. For
>> security I would prefer that this account be locked down.
>>
>> I had set the shell of the user to /bin/false, but then ssh does not
>> work.
>>
>> I am using a whitelist script I documented here:
>> http://pnijjar.freeshell.org/2015/lock-rsync/
>>
>> Now I am wondering if there is more I can do to lock down the account.
>> Setting the shell to /bin/rbash is not helpful unless I lock down a
>> bunch of other things. There is an rssh shell that I have read about,
>> but I have not tried it yet.
>>
>> One thing I am considering is actually setting the shell for the user
>> to my whitelist script, which is a python executable. Is this a
>> promising idea or a terrible one?
>>
>> - Paul
>>
>> --
>> Get tech event listings: https://off-topic.kwlug.org/watcamp
>> Blog: http://pnijjar.freeshell.org
>>
>> _______________________________________________
>> kwlug-disc mailing list
>> kwlug-disc at kwlug.org
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20190904/2b5a0bab/attachment.htm>
More information about the kwlug-disc
mailing list