Configurable restrictions
Darren Tucker
dtucker at zip.com.au
Sat Jan 20 16:26:26 EST 2007
Jonathan Miles wrote:
> Today I modified OpenSSH so that it allows me to configure in a generic
> way, restrictions on what server functions can be used by system users
> after they authenticate. The partial implementation of my plans only
> works for SSH2, but allows me to write entries like the following in
> sshd_config:
>
> ChannelReqDeny shell g restricted
> ChannelReqDeny exec g restricted
> ChannelReqDeny x11-req u *
>
> ... to deny access to those channel requests for group 'restricted'.
>
> Using my modified sftp-server, I can also write this:
>
> Subsystem sftp /path/to/sftp-server
> SetIf g restricted Subsystem sftp /path/to/sftp-server --chroot
>
> ... and anyone in the same group is jailed to the cwd, i.e. their home
> directory.
>
> The above works fine, but I want to expand it further. Bearing in mind
> that 2 days ago I'd never before looked at the SSH code or the RFCs, I
> thought I'd get some feedback from people on this list.
>
> What do you think? Are these features useful for other people? Am I
> taking the right approach?
You should have a look at the Match directive that's in 4.4 and up,
which provides a general mechanism for matching users, groups, networks
and hosts. It works similarly to the Hosts directive in ssh_config.
Your example above would be:
Match Group restricted
ChannelReqDeny shell
ChannelReqDeny exec
(and so on).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list