如何在登录后限制 SSH 用户使用一组预定义的命令? [英] How to restrict SSH users to a predefined set of commands after login?
问题描述
这是一个安全的想法.我们的员工应该可以访问 linux 服务器上的一些命令,但不是全部.他们将例如可以访问日志文件(less logfile)或启动不同的命令(shutdown.sh/run.sh).
This is a idea for a security. Our employees shall have access to some commands on a linux server but not all. They shall e.g. have the possibility to access a log file (less logfile) or start different commands (shutdown.sh / run.sh).
背景信息:
所有员工使用相同的用户名访问服务器:我们的产品以普通"用户权限运行,不需要安装".只需将其解压缩到您的用户目录中并运行它.我们管理安装"了我们的应用程序的几台服务器.每台机器上都有一个用户johndoe.我们的员工有时需要通过命令行访问应用程序以访问和检查日志文件或手动重新启动应用程序.只有部分人拥有完整的命令行访问权限.
All employees access the server with the same user name: Our product runs with "normal" user permissions, no "installation" is needed. Just unzip it in your user dir and run it. We manage several servers where our application is "installed". On every machine there is a user johndoe. Our employees sometimes need access to the application on command line to access and check log files or to restart the application by hand. Only some people shall have full command line access.
我们在服务器上使用 ppk 身份验证.
We are using ppk authentication on the server.
如果employee1 只能访问日志文件而employee2 也可以做X 等就好了...
It would be great if employee1 can only access the logfile and employee2 can also do X etc...
解决方案:作为解决方案,我将使用 accepted 答案中所述的 command 选项.我将制作自己的小 shell 脚本,该脚本将成为某些 员工可以执行的唯一文件.该脚本将提供几个可以执行的命令,但没有其他命令.我将在 authorized_keys 中使用以下参数,如此处所述:
Solution:
As a solution I'll use the command option as stated in the accepted answer. I'll make my own little shell script that will be the only file that can be executed for some employees. The script will offer several commands that can be executed, but no others. I'll use the following parameters in authorized_keys from as stated here:
command="/bin/myscript.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
ssh-dss AAAAB3....o9M9qz4xqGCqGXoJw= user@host
这对我们来说已经足够安全了.谢谢,社区!
This is enough security for us. Thanks, community!
推荐答案
您还可以将密钥限制为允许的命令(在authorized_keys 文件中).
You can also restrict keys to permissible commands (in the authorized_keys file).
即用户不会通过 ssh 登录然后拥有一组受限的命令,而只能通过 ssh 执行这些命令(例如ssh somehost bin/showlogfile")
I.e. the user would not log in via ssh and then have a restricted set of commands but rather would only be allowed to execute those commands via ssh (e.g. "ssh somehost bin/showlogfile")
这篇关于如何在登录后限制 SSH 用户使用一组预定义的命令?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
