4
1
We have bastion server. We should have some users that need to SSH from local through bastion to C, using proxyCammand and private key.
I want to create users and group that should have access ONLY to ssh from the Bastion host (it happens via proxyCommand). They also don't need to read files.
How can I do that? Is there a way?
The other alternative, if the above is not possible, is to have only read access for allowed files, except restricted files (defaulted by OS) that have read access only to there groups.
Thanks. But I'm getting
chsh: "/bin/rbash" does not exist
. – user2503775 – 2019-03-28T08:39:41.257At /etc/shells:
/bin/sh /bin/bash /sbin/nologin /bin/dash
– user2503775 – 2019-03-28T08:39:59.897I added to my answer how to define
rbash
in CentOS. This option does not allow commands with a/
(slash) embedded, among other restrictions. Add it also to/etc/shells
. – harrymc – 2019-03-28T09:14:11.343I use bastion from aws quick start. I'm getting now
rbash: /var/log/bastion/bastion.log: restricted: cannot redirect output
when I login to the user with the rbash shell. – user2503775 – 2019-03-28T10:34:32.833If
– harrymc – 2019-03-28T11:55:27.133rbash
is too restrictive, then the normalbash
might do as well, but this is more work for you. You will need to remove all users from the sudo group, and might need to disallow executing almost all commands in/bin
by this method of usingsetfacl -m u:test1:r /bin/su
forsu
and other commands you don't want used.my users are not at sudo group, maybe the problem is that all action should be written to the bastion log? – user2503775 – 2019-03-28T12:21:22.203
The problem is that you are apparently logging all entered commands, so
– harrymc – 2019-03-28T13:33:39.727rbash
is not suitable. In any case, it's very simple to escape the restricted shell by any Linux user, so it serves only for restricting naive users. Thesetfacl
method is much safer even when used withbash
.