You are not logged in.
Pages: 1
I am trying using $HOME/.bash_profile with restricted bash
$ cat $HOME/.bash_profile
$ exec /bin/bash -r
$
Will this be good enough to prevent login user from breaking out restricted shell?
Offline
No. You can still call other programs which in turn can spawn a regular shell, should it be needed. Or even a regular bash script. What are you trying to do in the first place?
Mods are just community members who have the occasionally necessary option to move threads around and edit posts. -- Trilby
Offline
As a bastion host, the login user can only run a few safe binary commands located inside home directory. no creation of files is allowed for the login user.
Also nothing is on the $PATH
$ echo $PATH
$
Offline
Wouldn't it be a safer/better approach to use a combination of "command=safe_cmd_script.sh" in authorized_keys and the SSH_ORIGINAL_COMMAND to support multiple allowed commands? That way the user is technically never really logging into the bastion as a 'free' user and can only run specific commands. You could even take it a step further and have those user's /home on a read-only filesystem.
Offline
'SSH_ORIGIANL_COMMAND' I think this is the right approach, Thanks!
Offline
'SSH_ORIGIANL_COMMAND' I think this is the right approach, Thanks!
Just make sure you use it without the typo you produced here
Offline
Pages: 1