May 11, 2022

Restrict SSH Users to Run Limited Commands

This is the note to focus on how to restrict SSH users from executing certain commands once they successfully log in to a remote OpenSSH server.


Setup key-based authentication

$ key-keygen

$ ssh-copy-id login@remote-ssh-server

On the remote SSH server, a file called 'authorized_keys' should be created at ~/.ssh. We should see the copied public key.

$ ssh login@remote-ssh-server

$ cd ~/.ssh

$ cat authorized_keys

 

Restrict Execution in 'authorized_keys' file

To restrict a user to execute the 'ls' command on this server, we can modify the authorized_keys file in the following manner:

from="192.168.233.84",command="/usr/bin/ls" ssh-rsa AAAABBB.......

The entry above will point to the IP address and specified the only command to be executed.

Once we login to the remote SSH server, the ls command will execute and the connection will be closed.

We can create a BASH script and restrict the execution to the BASH script which provide limited command only.


Links: