DOKK / manpages / debian 12 / restricted-ssh-commands / restricted-ssh-commands.1.en
RESTRICTED-SSH-COMMANDS(1) RESTRICTED-SSH-COMMANDS(1)

restricted-ssh-commands - Restrict SSH users to a predefined set of commands

/usr/lib/restricted-ssh-commands [config]

restricted-ssh-commands is intended to be called by SSH to restrict a user to only run specific commands. A list of allowed regular expressions can be configured in /etc/restricted-ssh-commands/. The requested command has to match at least one regular expression. Otherwise it will be rejected.

restricted-ssh-commands is useful to grant restricted access via SSH to do only certain task. For example, it could allow a user to upload a Debian packages via scp and run reprepro processincoming.

The optional config parameter is the name of the configuration inside /etc/restricted-ssh-commands/ that should be used. If config is omitted, the user name will be used.

Create a configuration file in /etc/restricted-ssh-commands/$config and add following line to ~/.ssh/authorized_keys to use it

    command="/usr/lib/restricted-ssh-commands",no-port-forwarding,\
    no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa [...]

To enable debug output, set the RSC_VERBOSE environment variable to a nonzero value, e.g. by adding it to authorized_keys:

    command="RSC_VERBOSE=1 /usr/lib/restricted-ssh-commands"

restricted-ssh-commands will exit with the exit status from the called command if the command is allowed and therefore executed. If the command is rejected, restricted-ssh-commands will exit with one of the following exit codes.

124
A configuration file was found and contains at least one regular expression, but the requested command does not match any of those regular expressions.
125
The configuration file is missing or does not contain any regular expressions. Thus all commands are rejected.

Imagine you have a Debian package repository on a host using reprepro and you want to allow package upload to it. Assuming the user is reprepro and the package configuration is stored in /srv/reprepro, you would create the configuration file /etc/restricted-ssh-commands/reprepro containing these three regular expressions:

    ^scp -p( -d)? -t( --)? /srv/reprepro/incoming(/[-a-z0-9+~_.]*[-a-z0-9+~_])?$
    ^chmod 0644( /srv/reprepro/incoming/[-a-z0-9+~_.]*[-a-z0-9+~_])+$
    ^reprepro ( -V)? -b /srv/reprepro processincoming foobar$

It is dangerous and not recommended to use negative bracket expressions (like [^ /]). Characters like CR LF $ & ; ( ) and so on can be abused to execute arbitrary commands. For example, the rule

    ^echo [^ /]$

can be abused to execute these commands

    echo foo&echo owned
    echo foo&rm -rf $(printf "\x2f")

where a TAB is used instead of spaces after the first ampersand. Therefore only use positive bracked expressions (like [a-z]).

The configuration files are placed in /etc/restricted-ssh-commands/. Each line in the configuration file represents one POSIX extended regular expression (ERE). Lines starting with # are considered as comments and are ignored. Empty lines (containing only whitespaces) are ignored, too.

Regular expressions on http://tldp.org/LDP/Bash-Beginners-Guide/html/sect_04_01.html

Section 9.4 Extended Regular Expressions (ERE) on http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html

restricted-ssh-commands and this manpage have been written by Benjamin Drung <benjamin.drung@profitbricks.com>.

2017-09-29 restricted-ssh-commands