The environment is Ubuntu Server 12.04
I would like to create a user on a server that is only able to ssh into a shell that runs tail -f on a log file and closes the session once the program ends (ctrl+c).
Is there a way to achieve this?
ssh forced commands spring to mind if you're happy to use keypair based authentication.
man authorized_keys
/command=
To be pedantic, it won't be ctrl+c, but SIGHUP
(closer to ctrl+d) that kills the app.
You can put essentially whatever you want in the user's shell in /etc/passwd
. Simply replace the default on the user's passwd line (probably /bin/bash
) with another program. That program can be a script, such as /usr/bin/tail_log_file
, with these contents, owned by root:root, with umode 0755:
#!/bin/rbash
tail -f /path/to/logfile
You can use some interpreter other than rbash, but it is advisable to use a restricted shell in such cases.
To be extremely pedantic about it, you should add the script's path to /etc/shells
, but I usually find it works anyway.
Keep in mind also that the user could potentially put the script in the background, or use some options (ssh username@host bash
) and still acquire a shell. If you want to restrict the user in such ways, good filesystem permissions are the only real solution.
You can configure ssh to run a command of your choice when you log in using public key authentication. To do this, generate a pair of keys:
djs@sardinia:~$ ssh-keygen -f restricted-key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in restricted-key.
Your public key has been saved in restricted-key.pub.
The key fingerprint is: b1:8f:26:47:c2:c5:f2:8d:ed:a0:c4:bd:9a:30:9d:08 djs@sardinia
[...]
restricted-key.pub
contains a line suitable for putting in the users's ~/.ssh/authorized_keys
file:
ssh-rsa AAAA...UDz47Nl djs@sardinia
but you can add a command to this, and ssh will run that command when logging in with the key:
command="tail -f /my/interesting/file" ssh-rsa AAAA...UDz47Nl djs@sardinia
Then the user can ssh to the machine using ssh -i restricted-key
.