Bastion server: create users with the ability only to ssh destination server

4

1

We have bastion server. We should have some users that need to SSH from local through bastion to C, using proxyCammand and private key.

I want to create users and group that should have access ONLY to ssh from the Bastion host (it happens via proxyCommand). They also don't need to read files.

How can I do that? Is there a way?

The other alternative, if the above is not possible, is to have only read access for allowed files, except restricted files (defaulted by OS) that have read access only to there groups.

user2503775

Posted 2019-03-24T08:39:45.537

Reputation: 91

Answers

2

This is how to allow a given user only to use some specified commands:

  1. Change the user shell to restricted bash:

    chsh -s /bin/rbash <username>

  2. Create a bin directory under the user's home directory:

    sudo mkdir /home/<username>/bin
sudo chmod 755 /home/<username>/bin

  3. Change the user's default PATH to this bin directory:

    echo "PATH=$HOME/bin" >> /home/<username>/.bashrc
echo "export PATH >> /home/<username>/.bashrc

  4. Create symlinks for the command(s) that the user requires:

    sudo ln -s /bin/<command> /home/<username>/bin/

  5. Restrict the user from changing ~/.bashrc by making it immutable:

    chattr +i /home/<username>/.bashrc

This way you only create symlinks to the commands that you want to allow.

For doing the same for more than one user, you may create a bash script containing these commands and having the user's name as parameter.

EDIT: In CentOS, rbash may not be implemented directly and may need a symbolic link to be created, and similarly in some other versions of GNU/Linux such as Red Hat:

# cd /bin
# ln -s bash rbash

source

Edit2:

If rbash is too restrictive, then the normal bash might do as well, but this is more work: You will need to disallow executing almost all commands in /bin by using setfacl -m u:user1:r /bin/su for su and other commands that you don't want used, so they become read-only to the user and especially are not executable.

See this answer for more details.

harrymc

Posted 2019-03-24T08:39:45.537

Reputation: 306 093

Thanks. But I'm getting chsh: "/bin/rbash" does not exist. – user2503775 – 2019-03-28T08:39:41.257

At /etc/shells: /bin/sh /bin/bash /sbin/nologin /bin/dash – user2503775 – 2019-03-28T08:39:59.897

I added to my answer how to define rbash in CentOS. This option does not allow commands with a / (slash) embedded, among other restrictions. Add it also to /etc/shells. – harrymc – 2019-03-28T09:14:11.343

I use bastion from aws quick start. I'm getting now rbash: /var/log/bastion/bastion.log: restricted: cannot redirect output when I login to the user with the rbash shell. – user2503775 – 2019-03-28T10:34:32.833

If rbash is too restrictive, then the normal bash might do as well, but this is more work for you. You will need to remove all users from the sudo group, and might need to disallow executing almost all commands in /bin by this method of using setfacl -m u:test1:r /bin/su for su and other commands you don't want used.

– harrymc – 2019-03-28T11:55:27.133

my users are not at sudo group, maybe the problem is that all action should be written to the bastion log? – user2503775 – 2019-03-28T12:21:22.203

The problem is that you are apparently logging all entered commands, so rbash is not suitable. In any case, it's very simple to escape the restricted shell by any Linux user, so it serves only for restricting naive users. The setfacl method is much safer even when used with bash.

– harrymc – 2019-03-28T13:33:39.727

0

Network traffic

You can use iptables to limit network traffic:

# Allow port 22 traffic to a specific IP/hostname for a specific user
iptables -A OUTPUT -p tcp --dport 22 -d allowed_host -m owner --uid-owner username -j ACCEPT 
# Block all other outgoing port 22 (SSH) traffic
iptables -A OUTPUT -p tcp --dport 22 -d 0.0.0.0/0 -j REJECT

File system access

To restrict filesystem access you can use File system permissions

They also don't need to read files.

to be able to log in they need to be able to read some files:

  • The users home directory
  • The executable and all libraries of the users shell

To disallow read access for a normal user you can remove the world-readable flag from a file owned by root, or remove the world-executable and world-readable flag from a directory owned by root:

# chmod o-r secret-file
# ls -l secret-file
-rw-r-----  1 root  root  0 Mar 27 13:23 secret-file

# chmod o-rx secret-dir/
# ls -ld secret-dir/
drwxr-x---  2 root  root  64 Mar 27 13:24 secret-dir/

Cloudomation

Posted 2019-03-24T08:39:45.537

Reputation: 101

Asked: 2019-03-24T08:39:45.537

Viewed: 711 times

Active: 2019-03-28T13:36:57.490