Restrict User to rbash via SSH – How to Guide

bashssh

I would like to restrict some users on my server to only being able to execute certain commands. To do this, the most common approach that I could find is to use rbash.

While I can find many websites talking about rbash, I am having trouble to find any information how to use it right. The most common approach that I could find was to create a symlink from /bin/rbash to /bin/bash, set the restricted users’ login shell to /bin/rbash and then set a custom PATH in ~/.bash_profile in the user home directory.

However, I was quite shocked to find out that with this setup users can still copy files to the server using scp and they can even open an unrestricted shell by using ssh user@host -t bash! What seems to be happening is that the SSH server is passing the command to the login shell on the server using -c, so ssh user@host -t bash causes the server to run /bin/rbash -c bash, which works because .bash_profile is not executed yet to restrict the path. scp similarly causes the server to run /bin/rbash -c scp.

Now I have come across the ForceCommand directive of sshd. This directive basically always causes the configured command to be passed as -c to the login shell, ignoring any command that the client has specified. So if ForceCommand is set to rbash, that will always execute the command /bin/rbash -c rbash on the server, regardless whether the client was called with -t bash or as scp or whatever. Unfortunately, /bin/rbash -c rbash causes the .bash_profile not to be executed, so we end up with a restricted shell but a normal PATH, so we can just call bash there to escape it.

What I would like to achieve:

There should be no way to avoid the restricted shell for users connecting via SSH
Ideally, it would still be possible to execute commands that are permitted in the restricted shell by using ssh user@server permitted_command
The configuration should not be SSH-only, so users logging in for example on the TTY should also be restricted.

Best Answer

After experimenting with this for a while it seems to me that the root of the problem is that the security of rbash depends on PATH being set, but in most setups PATH is set after SSH specifies its custom commands, whereas it needs to be specified before.

As a solution, rather than specifying /bin/rbash (symlink to /bin/bash) as the login shell, I have created a shell script /usr/local/bin/rbash and used that as the login shell instead. The shell script has the following content:

#!/bin/bash -l
export PATH=/usr/local/rbin
exec /bin/bash -r "$@"

I also experimented with the SetEnv directive of sshd and tried to set the PATH there. However, I found this solution less practical because it sets the configuration only for SSH, and also it caused lots of errors while running /etc/profile, because the commands used there could not be found. Also, there seems to be a risk that some other sshd directives would allow the client to override certain environment variables again.

Related Solutions

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

Linux – SSH session logging

If you are using Linux or FreeBSD, check out sudosh2:

sudosh is an auditing shell filter and can be used as a login shell. Sudosh records all keystrokes and output and can play back the session as just like a VCR. Sudosh2 is a continuation of the development of sudosh.

This will store a log of all TTY input and output (all keystrokes, including backspaces and other control characters). The output can be stored on the local machine, or can be sent to another server using syslog.

You don't state if your engineers are SSHing from a central server, or if they are all connecting from their own workstations. sudosh2 is ideal for a central server, but might be harder to implement on dozens of workstations.

Some others have used rootsh, but I am not familiar with rootsh.

Best Answer

Related Solutions

Ssh – How to automate SSH login with password

Linux – SSH session logging

Related Topic