0
I need to use a server (Linux, Ubuntu) 'S' as a bridge between clients and other local servers 'LSs' which offer a series of services such as DB access via web or applications that must run on them (the other LSs).
Real examples:
I need clients to connect to S via SSH, and then they must be able tu run firefox to access LS1 in order to manage a database via web.
I need clients to connect to S via SSH, and then they must be able to run on S Java Dsktop Apps which connect to external servers to do other things.
In short: I need clients to connect to S just to do what they are expected to (some of them just have to open a firefox instance, others have to be able to execute a java.jar, etc.), and hopefully they don't do anything else.
Regarding to connections I can easily use the S firewall to limit them to only allow connections to LSs, but since some of the clients like to experiment on other computers, I would like to also limit their actions beyond the simple command "$ firefox" or "$ java -jar someapp.jar".
I'm using Ubuntu 14.04 as OS on servers. Obviously I can't limit accounts to "just run firefox" or "just run this .jar", but I'm interested in knowing that: How much could I limit those accounts actions?
Alberto Martín
Posted 2015-08-23T17:49:35.800
Reputation: 165
It's perfectly possible to limit a SSH session to only a single executable. That executable can then allow for a small set of other commands to be executed, perhaps through a menu. Look at the
commandfield in theauthorized_keysfile, or set the user's login shell in /etc/passwd. Note that Firefox in particular can probably be used to do quite a few things other than merely browsing to a web page. – a CVn – 2015-08-23T17:55:13.660You could also chroot them on S into a limited environment with few commands. see an old example.
– meuh – 2015-08-23T19:04:50.637Thanks to both; actually @Michael Kjörling idea seems to be almost the ideal solution. I'm testing it and the only thing I haven't solved so far is avoiding users to browse local filesystem via the web-browser (They should just access a predefined domain). In fact I've taken into account your sugestion about Firefox and I'm using Midori instead. – Alberto Martín – 2015-08-24T13:54:27.510