Provided by: restricted-ssh-commands_0.4-1_all bug

NAME
       restricted-ssh-commands - Restrict SSH users to a predefined set of commands


SYNOPSIS
       /usr/lib/restricted-ssh-commands [config]


DESCRIPTION
       restricted-ssh-commands is intended to be called by SSH to restrict a user to only run specific commands.
       A list of allowed regular expressions can be configured in /etc/restricted-ssh-commands/. The requested
       command has to match at least one regular expression.  Otherwise it will be rejected.

       restricted-ssh-commands is useful to grant restricted access via SSH to do only certain task. For
       example, it could allow a user to upload a Debian packages via scp and run reprepro processincoming.

       The optional config parameter is the name of the configuration inside /etc/restricted-ssh-commands/ that
       should be used. If config is omitted, the user name will be used.


USAGE
       Create a configuration file in /etc/restricted-ssh-commands/$config and add following line to
       ~/.ssh/authorized_keys to use it

           command="/usr/lib/restricted-ssh-commands",no-port-forwarding,\
           no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa [...]

       To enable debug output, set the RSC_VERBOSE environment variable to a nonzero value, e.g. by adding it to
       authorized_keys:

           command="RSC_VERBOSE=1 /usr/lib/restricted-ssh-commands"


EXIT STATUS
       restricted-ssh-commands will exit with the exit status from the called command if the command is allowed
       and therefore executed. If the command is rejected, restricted-ssh-commands will exit with one of the
       following exit codes.

       124     A configuration file was found and contains at least one regular expression, but the requested
               command does not match any of those regular expressions.

       125     The configuration file is missing or does not contain any regular expressions.  Thus all commands
               are rejected.


EXAMPLES
       Imagine you have a Debian package repository on a host using reprepro and you want to allow package
       upload to it. Assuming the user is reprepro and the package configuration is stored in /srv/reprepro, you
       would create the configuration file /etc/restricted-ssh-commands/reprepro containing these three regular
       expressions:

           ^scp -p( -d)? -t( --)? /srv/reprepro/incoming(/[-a-z0-9+~_.]*[-a-z0-9+~_])?$
           ^chmod 0644( /srv/reprepro/incoming/[-a-z0-9+~_.]*[-a-z0-9+~_])+$
           ^reprepro ( -V)? -b /srv/reprepro processincoming foobar$


SECURITY NOTES
       It is dangerous and not recommended to use negative bracket expressions (like [^ /]). Characters like CR
       LF $ & ; ( ) and so on can be abused to execute arbitrary commands. For example, the rule

           ^echo [^ /]$

       can be abused to execute these commands

           echo foo&echo owned
           echo foo&rm -rf $(printf "\x2f")

       where a TAB is used instead of spaces after the first ampersand. Therefore only use positive bracked
       expressions (like [a-z]).


FILES
       The configuration files are placed in /etc/restricted-ssh-commands/. Each line in the configuration file
       represents one POSIX extended regular expression (ERE). Lines starting with # are considered as comments
       and are ignored. Empty lines (containing only whitespaces) are ignored, too.


SEE ALSO
       Regular expressions on http://tldp.org/LDP/Bash-Beginners-Guide/html/sect_04_01.html

       Section 9.4 Extended Regular Expressions (ERE) on
       http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html


AUTHOR
       restricted-ssh-commands and this manpage have been written by Benjamin Drung
       <benjamin.drung@profitbricks.com>.