6

When limiting a user to a single command via ssh, what default shell should be used for the user? This is a follow up to how can shellshock be exploited over SSH? I have a machine that is running an ssh server and has a dummy user. I have limited this dummy user to running a single command over ssh by specifying a command option in the authorized_keys file. I have been using bash as the default shell of the dummy user, but since the shellshock bug, I have been thinking maybe there is a more secure shell. The dummy user is only allowed to run an rsync command so I would image it would run on most shells. Specifically, the command that the user is allowed to run is:

rsync --server --sender -lHogDtpre.iLs . //home/dummyuser/data/"

I am not the administrator of the server, although I can ask for some easy changes, so setting up something like a chroot jail in the /etc/sshd/sshd_config file is not possible. Ideally, I would be able to limit the command by logging in as the dummy user with an unrestricted key.

Community
  • 1
StrongBad
  • 5,261
  • 1
    Do you want to let him rsync with any arguments (in which case that would be equivalent to give him full shell access) or just a fixed set of arguments? What do you want to achieve in the end? – Stéphane Chazelas Dec 08 '14 at 10:15
  • 1
    Beware that bash reads the .bashrc and /etc/bash.bashrc over ssh when invoked as "sh", and parses its code differently based on the locale. If using bash, you should call it as sh and probably remove the AcceptEnvs from sshd_config. Your best bet would be "dash" here if available, that has none of those misfeatures (and is minimalist and maintained by a kernel cryptographer). Be sure to disable tty allocation, forwarding, etc as well – Stéphane Chazelas Dec 08 '14 at 10:20
  • @StéphaneChazelas I added the command I want to limit the user to. I want the user to be able to be able to sync data from a single directory on the server. – StrongBad Dec 08 '14 at 10:22
  • You can also only give him chrooted sftp access to that area, and let him do the rsync over sshfs on the client. You might be trying to safeguard against a buggy shell and overlook that rsync could have many more issues and/or vulnerabilities. (in the generally case, my advice to use dash to interpret the forced command still stands). – Stéphane Chazelas Dec 08 '14 at 10:24
  • @StéphaneChazelas added that I cannot easily make system wide changes or changes to /etc/ssh/sshd_config, which I think is required to setup a chroot jail. I was kindda hoping that rsync would be fairly secure. – StrongBad Dec 08 '14 at 10:31

1 Answers1

1

You can write that shell:

cat >/tmp/rsyncshell.c <<EOF
#include <unistd.h>
char *argv[] = (char *[]) {
        "/usr/bin/rsync", "--server", "--sender", 
        "-lHogDtpre.iLs", ".", "//home/dummyuser/data/" };
int main () { execv(argv[0], argv); }
EOF

Compile the new shell:

gcc -o /bin/rsyncshell /tmp/rsyncshell.c

then set the dummyuser interpreter to /bin/rsyncshell

nrc
  • 281