8

The environment is Ubuntu Server 12.04

I would like to create a user on a server that is only able to ssh into a shell that runs tail -f on a log file and closes the session once the program ends (ctrl+c).

Is there a way to achieve this?

Ablue
  • 1,140
  • 1
  • 12
  • 32

3 Answers3

10

ssh forced commands spring to mind if you're happy to use keypair based authentication.

man authorized_keys
/command=
tink
  • 1,036
  • 11
  • 19
8

To be pedantic, it won't be ctrl+c, but SIGHUP (closer to ctrl+d) that kills the app.

You can put essentially whatever you want in the user's shell in /etc/passwd. Simply replace the default on the user's passwd line (probably /bin/bash) with another program. That program can be a script, such as /usr/bin/tail_log_file, with these contents, owned by root:root, with umode 0755:

#!/bin/rbash
tail -f /path/to/logfile

You can use some interpreter other than rbash, but it is advisable to use a restricted shell in such cases.

To be extremely pedantic about it, you should add the script's path to /etc/shells, but I usually find it works anyway.

Keep in mind also that the user could potentially put the script in the background, or use some options (ssh username@host bash) and still acquire a shell. If you want to restrict the user in such ways, good filesystem permissions are the only real solution.

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92
  • works great, thanks so much for your quick and accurate reply. – Ablue Oct 10 '12 at 02:58
  • 2
    The only reason you would want to add something to `/etc/shells` is to allow users that have something else as their shell to set their shell to this; the superuser (`root`) can always change anyone's shell to anything they want. – Jonathan Callen Oct 10 '12 at 04:30
  • 1
    To add what @JonathanCallen said: it's actually a security leak to add that script to `/etc/shells` as that would allow the user to change his shell (because `/usr/bin/tail_log_file` would then be considered an "unrestricted shell")! – Joachim Sauer Oct 10 '12 at 06:33
  • Ok I will remove. – Ablue Oct 10 '12 at 08:00
  • 1
    That is much too complicated; forced commands (see the answer by @tink) are the way to do it. – Martin Schröder Oct 11 '12 at 13:23
2

You can configure ssh to run a command of your choice when you log in using public key authentication. To do this, generate a pair of keys: 

djs@sardinia:~$ ssh-keygen -f restricted-key 
Generating public/private rsa key pair. 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in restricted-key. 
Your public key has been saved in restricted-key.pub. 
The key fingerprint is: b1:8f:26:47:c2:c5:f2:8d:ed:a0:c4:bd:9a:30:9d:08 djs@sardinia 
[...]

restricted-key.pub contains a line suitable for putting in the users's ~/.ssh/authorized_keys file: 

ssh-rsa AAAA...UDz47Nl djs@sardinia

but you can add a command to this, and ssh will run that command when logging in with the key:

command="tail -f /my/interesting/file" ssh-rsa AAAA...UDz47Nl djs@sardinia

Then the user can ssh to the machine using ssh -i restricted-key.

Dan
  • 737
  • 5
  • 11