This is the note to focus on how to restrict SSH users from executing certain commands once they successfully log in to a remote OpenSSH server.
Setup key-based authentication
$ key-keygen
$ ssh-copy-id login@remote-ssh-server
On the remote SSH server, a file called 'authorized_keys' should be created at ~/.ssh. We should see the copied public key.
$ ssh login@remote-ssh-server
$ cd ~/.ssh
$ cat authorized_keys
Restrict Execution in 'authorized_keys' file
To restrict a user to execute the 'ls' command on this server, we can modify the authorized_keys file in the following manner:
from="192.168.233.84",command="/usr/bin/ls" ssh-rsa AAAABBB.......
The entry above will point to the IP address and specified the only command to be executed.
Once we login to the remote SSH server, the ls command will execute and the connection will be closed.
We can create a BASH script and restrict the execution to the BASH script which provide limited command only.
Links: