2

I need to lock down a system so that a group of individuals can log into the server via ssh.

When they log into ssh I would like them to be presented with a screen session and locked down to that single application. This is so the application can continue to run in the background, while nothing else from the command line can be run.

Any ideas? Maybe there is a better solution than screen?

Spectre
  • 21
  • 1

3 Answers3

3

consider dtach if all you want is the ability to have processes persist over user sessions. dtach is simply the "detaching" part of tools like screen and tmux boiled down to one small utility.

Brad Clawsie
  • 411
  • 2
  • 7
  • Yeah, dtach is the program I was thinking of when I mentioned tmux (which doesn't support detaching on its own). Whoops, this screen user has faulty knowledge of rest of the world… +1 for you. – ephemient Oct 30 '10 at 04:50
  • Nice, I actually found dtach right after I posted this. I'm going to try it out with a chrooted/forcecommand ssh session. – Spectre Oct 30 '10 at 04:52
1

Take a look at setting the command option to authorized keys (look in the sshd man page under AUTHORIZED_KEYS). If the users log in with a key configured this way, the command specified will be run instead of the user's shell or anything they may have entered on his or her ssh command line. You can either set it to run screen as you wanted, or merely the application in question.

mark
  • 2,325
  • 14
  • 10
0

Users can do pretty much anything once they enter screen. Ctrl-A :screen /bin/sh Enter and they have a shell; you can run screen as a different user and use :umask to prevent that, but users will still be able to read and write files (:readbuf, :writebuf), run commands (:exec), and so on.

tmux dtach is quite a lot simpler than screen.

ephemient
  • 1,420
  • 1
  • 11
  • 8
  • Yeah I don't really need a multi-screen session... just a session so it can stay in the background and easily be accessed by users. – Spectre Oct 30 '10 at 03:11