Provided by: restricted-ssh-commands_0.3-1_amd64
NAME
restricted-ssh-commands - Restrict SSH users to a predefined set of commands
SYNOPSIS
/usr/lib/restricted-ssh-commands [config]
DESCRIPTION
restricted-ssh-commands is intended to be called by SSH to restrict a user to only run specific commands. A list of allowed regular expressions can be configured in /etc/restricted-ssh-commands/. The requested command has to match at least one regular expression. Otherwise it will be rejected. restricted-ssh-commands is useful to grant restricted access via SSH to do only certain task. For example, it could allow a user to upload a Debian packages via scp and run reprepro processincoming. The optional config parameter is the name of the configuration inside /etc/restricted-ssh-commands/ that should be used. If config is omitted, the user name will be used.
USAGE
Create a configuration file in /etc/restricted-ssh-commands/$config and add following line to ~/.ssh/authorized_keys to use it command="/usr/lib/restricted-ssh-commands",no-port-forwarding,\ no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa [...]
EXIT STATUS
restricted-ssh-commands will exit with the exit status from the called command if the command is allowed and therefore executed. If the command is rejected, restricted-ssh- commands will exit with one of the following exit codes. 124 A configuration file was found and contains at least one regular expression, but the requested command does not match any of those regular expressions. 125 The configuration file is missing or does not contain any regular expressions. Thus all commands are rejected.
EXAMPLES
Imagine you have a Debian package repository on a host using reprepro and you want to allow package upload to it. Assuming the user is reprepro and the package configuration is stored in /srv/reprepro, you would create the configuration file /etc/restricted-ssh-commands/reprepro containing these three regular expressions: ^scp -p( -d)? -t( --)? /srv/reprepro/incoming(/[^ /]*)?$ ^chmod 0644 /srv/reprepro/incoming/[^ /]*$ ^reprepro ( -V)? -b /srv/reprepro processincoming foobar$
FILES
The configuration files are placed in /etc/restricted-ssh-commands/. Each line in the configuration file represents one POSIX extended regular expression (ERE). Lines starting with # are considered as comments and are ignored. Empty lines (containing only whitespaces) are ignored, too.
SEE ALSO
Regular expressions on http://tldp.org/LDP/Bash-Beginners-Guide/html/sect_04_01.html Section 9.4 Extended Regular Expressions (ERE) on http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html
AUTHOR
restricted-ssh-commands and this manpage have been written by Benjamin Drung <benjamin.drung@profitbricks.com>.