You are not logged in.

#1 2022-05-27 08:59:14

solskog
Member
Registered: 2020-09-05
Posts: 321

restricted bash

I am trying using $HOME/.bash_profile with restricted bash

$ cat $HOME/.bash_profile 
$ exec /bin/bash -r
$

Will this be good enough to prevent login user from breaking out restricted shell?

Offline

#2 2022-05-27 09:15:33

Alad
Wiki Admin/IRC Op
From: Bagelstan
Registered: 2014-05-04
Posts: 2,347
Website

Re: restricted bash

No. You can still call other programs which in turn can spawn a regular shell, should it be needed. Or even a regular bash script. What are you trying to do in the first place?


Mods are just community members who have the occasionally necessary option to move threads around and edit posts. -- Trilby

Offline

#3 2022-05-27 09:46:26

solskog
Member
Registered: 2020-09-05
Posts: 321

Re: restricted bash

As a bastion host, the login user can only run a few safe binary commands located inside home directory. no creation of files is allowed for the login user.
Also nothing is on the $PATH

$ echo $PATH
$

Offline

#4 2022-05-27 16:27:58

twelveeighty
Member
From: Alberta, Canada
Registered: 2011-09-04
Posts: 920

Re: restricted bash

Wouldn't it be a safer/better approach to use a combination of "command=safe_cmd_script.sh" in authorized_keys and the SSH_ORIGINAL_COMMAND to support multiple allowed commands? That way the user is technically never really logging into the bastion as a 'free' user and can only run specific commands. You could even take it a step further and have those user's /home on a read-only filesystem.

Offline

#5 2022-05-28 02:04:01

solskog
Member
Registered: 2020-09-05
Posts: 321

Re: restricted bash

'SSH_ORIGIANL_COMMAND' I think this is the right approach, Thanks!

Offline

#6 2022-05-28 08:29:32

sekret
Member
Registered: 2013-07-22
Posts: 248

Re: restricted bash

solskog wrote:

'SSH_ORIGIANL_COMMAND' I think this is the right approach, Thanks!

Just make sure you use it without the typo you produced here wink

Offline

#7 2022-07-09 01:04:26

solskog
Member
Registered: 2020-09-05
Posts: 321

Re: restricted bash

I have been testing 'SSH_ORIGINAL_COMMAND' a while now. But what if I just change the user's login shell to the actual command instead?
No more ForceCommand /bin/command in sshd_config.

# cat /etc/passwd
ob1:x:yyy:zzz::/:/bin/command

Will this approach be more or less safe then 'SSH_ORIGINAL_COMMAND' ?

Offline

#8 2022-07-09 08:11:54

seth
Member
Registered: 2012-09-03
Posts: 30,973

Re: restricted bash

If you don't restrict the ssh commands on the server, the user might still succeed at "ssh -t bastion /usr/bin/bash"

Offline

#9 2022-07-11 18:38:03

twelveeighty
Member
From: Alberta, Canada
Registered: 2011-09-04
Posts: 920

Re: restricted bash

solskog wrote:

No more ForceCommand /bin/command in sshd_config.

Afaik, you do not have to use ForceCommand in sshd_config, you can set it in authorized_keys for just that user?

Offline

Board footer

Powered by FluxBB