[solved] restricted bash

solskog · 2022-05-27 08:59:14

I am trying using $HOME/.bash_profile with restricted bash

$ cat $HOME/.bash_profile 
$ exec /bin/bash -r
$

Will this be good enough to prevent login user from breaking out restricted shell?

Last edited by solskog (2022-10-08 13:40:18)

Alad · 2022-05-27 09:15:33

No. You can still call other programs which in turn can spawn a regular shell, should it be needed. Or even a regular bash script. What are you trying to do in the first place?

solskog · 2022-05-27 09:46:26

As a bastion host, the login user can only run a few safe binary commands located inside home directory. no creation of files is allowed for the login user.
Also nothing is on the $PATH

$ echo $PATH
$

twelveeighty · 2022-05-27 16:27:58

Wouldn't it be a safer/better approach to use a combination of "command=safe_cmd_script.sh" in authorized_keys and the SSH_ORIGINAL_COMMAND to support multiple allowed commands? That way the user is technically never really logging into the bastion as a 'free' user and can only run specific commands. You could even take it a step further and have those user's /home on a read-only filesystem.

solskog · 2022-05-28 02:04:01

'SSH_ORIGIANL_COMMAND' I think this is the right approach, Thanks!

sekret · 2022-05-28 08:29:32

solskog wrote:

'SSH_ORIGIANL_COMMAND' I think this is the right approach, Thanks!

Just make sure you use it without the typo you produced here

solskog · 2022-07-09 01:04:26

I have been testing 'SSH_ORIGINAL_COMMAND' a while now. But what if I just change the user's login shell to the actual command instead?
No more ForceCommand /bin/command in sshd_config.

# cat /etc/passwd
ob1:x:yyy:zzz::/:/bin/command

Will this approach be more or less safe then 'SSH_ORIGINAL_COMMAND' ?

seth · 2022-07-09 08:11:54

If you don't restrict the ssh commands on the server, the user might still succeed at "ssh -t bastion /usr/bin/bash"

twelveeighty · 2022-07-11 18:38:03

solskog wrote:

No more ForceCommand /bin/command in sshd_config.

Afaik, you do not have to use ForceCommand in sshd_config, you can set it in authorized_keys for just that user?

Arch Linux

#1 2022-05-27 08:59:14

[solved] restricted bash

#2 2022-05-27 09:15:33

Re: [solved] restricted bash

#3 2022-05-27 09:46:26

Re: [solved] restricted bash

#4 2022-05-27 16:27:58

Re: [solved] restricted bash

#5 2022-05-28 02:04:01

Re: [solved] restricted bash

#6 2022-05-28 08:29:32

Re: [solved] restricted bash

#7 2022-07-09 01:04:26

Re: [solved] restricted bash

#8 2022-07-09 08:11:54

Re: [solved] restricted bash

#9 2022-07-11 18:38:03

Re: [solved] restricted bash

Board footer