ssh & control groups
Iain Morgan
imorgan at nas.nasa.gov
Sat Jun 2 03:02:59 EST 2012
On Fri, Jun 01, 2012 at 02:50:41 -0500, Ondrej Valousek wrote:
> Hi List,
>
> I am looking for an option for sshd to start user's shell (when logging in interactively to a remote host) in a control group via cgexec -
> so for example:
>
> /bin/cgexec -g <username> /bin/bash
>
> This would be extremely handy on linux Terminal servers to control users access to the system resources (protect system from a malicious
> user hogging the machine by running cpu/memory intensive applications).
>
> Is something like that possible to achieve?
> Thanks,
>
> Ondrej
>
Hello,
Unfortunately, OpenSSH doesn't support aa option which could handle
this. The closest would be the ForceCommand option, but it does not have
the flexibility you need and the command is invoked with the user's
shell.
Something which I have been contemplating submitting as a feature
enhancement is a ForceShell option. The original motivation was to
provide a means of overriding a user's shell from withing an
sshd_config(5) Match block. This could be used to conditionally force
the user's shell to something like authpf, scponly, mesh etc. If the
option supported macros such as %u (for the username) and %s (for the
user's original shell), it would probably meet your needs.
However, this only exists as a concept. I have not cut any code for this
and It will probably be a few months before I have an opportunity to do
so. And, since this is the first time I have mentioned this on the list,
I have no idea whether such a feature would be of interest to the
developers.
--
Iain Morgan
More information about the openssh-unix-dev
mailing list