3

I want a user to ssh and only have access to my CLI. This is currently done by executing a command in .profile, which runs the cli as another user (this is done in sudoers, they can only run the CLI as this user and nothing else). One issue I have is the user can still run commands with shh, say bash, which is something I want to restrict. There's also an archive I want the user to be able to transfer with sftp. I'm thinking I'll just make another user and chroot them so they only have access to that one file. I looked into doing this with the same user but chrooting them while still allowing the to use the CLI and restricting remote ssh commands seems like a nightmare. Sorry if this is confusing, I'm having trouble verbalizing all this and don't have much experience with this type of stuff.

In summary I basically want to:

-Allow a user to ssh, but only have access to my CLI

-Prevent the user from doing whatever else with ssh

-Allow transfer of a diagnostics archive

Anyone have some ideas on the best way to accomplish all this? Please let me know if there's any other information that would be helpful. Thanks!

user2577911
  • 31
  • 2
  • Can you elaborate on the actions needed by the user? are they uploading files, running which command? can you replace the access with cronjob? why are you using sftp? If you restrict bash then how will the user run any commands? – Ura Nov 22 '13 at 20:25
  • The user needs to be able to access my custom CLI via ssh (or maybe not ssh? I don't know what an alternative would be). No uploads, no other commands, but they need to be able to transfer one certain file off the machine. I thought only sftp worked with chroot that's why I was planning to use it, again I'm open to alternatives. They don't need to run any commands outside of starting up my CLI. – user2577911 Nov 22 '13 at 21:10

1 Answers1

0

If a user logs in via ssh, s/he is locked in the chroot jail. I'm not sure what you have done, so the following may not help that much:

Try:

usermod -s /path/to/CLI username

/path has to be visible in the jail, and CLI has to be statically linked. If you use system() calls to do stuff with commands like ls - instead of using opendir(), dirent, etc. - then you have to have a separate visible /lib directory with libraries. And a separate copies of the ls executable or other commands in a locally visible /usr/bin directory, for example. In this case CLI can be dynamically linked. Use the 

ldd executablefilename

command to be sure you can see all libraries you need.

Consider looking at some chroot examples/tutorials on the web. Google for linux chroot jail

jim mcnamara
  • 16,005
  • 2
  • 34
  • 51