0

Is it possible to create users (non-sudoers) that can only use the command "mysql" ? or set of commands ?

Context: I have a server hosting a mysql database. I want to give some users the rights to connect to the server via SSH but only so they can use the mysql client.

I am using a the Amazon linux AMI

Ps : Using the command option in the authorized_keys file is not a correct solution.

Hugo
  • 103
  • 1
    Possible duplicate of Adding a user who can only execute scripts remotely – Stephen Kitt Jun 29 '16 at 08:37
  • There are some similarities with "Adding a user who can only execute scripts remotely" but is it not the same question. – Hugo Jun 29 '16 at 11:53
  • Why is the "command" option in .authorized_keys not a correct solution? – Stephen Kitt Jun 29 '16 at 12:07
  • The command option is used to force the launch of a command when a ssh connection is made. – Hugo Jun 29 '16 at 14:17
  • Right, and it also tells the SSH server to ignore any other command given — so if you specify the MySQL client as the command in .authorized_keys, that would give you the result you're after, unless I've misunderstood your requirement! – Stephen Kitt Jun 29 '16 at 14:21
  • Ok I know understand that my question is very badly written. I need users to be able to connect to the server and locally(thourgh the ssh tunnel) use the port 3306 so they can access the database through their own client. In doing so, I don't want to give them any extra rights.

    Should I delete this question and post a new one or rewrite this one?

     – Hugo Jun 29 '16 at 14:41
  • Ah right, you want to allow them to set up an SSH tunnel to port 3306, is that correct? You should rewrite this question, and ping the two people who have answered (by commenting on their answers) to notify them that the question has changed. – Stephen Kitt Jun 29 '16 at 14:44
  • Actually, thanks to your questions, I realized that my issue was http://unix.stackexchange.com/questions/14312/how-to-restrict-an-ssh-user-to-only-allow-ssh-tunneling – Hugo Jun 29 '16 at 14:57
  • Excellent, in that case you should probably delete this question! – Stephen Kitt Jun 29 '16 at 15:02
  • It turns out I cannot delete this question because its under moderator attention – Hugo Jun 29 '16 at 15:08

2 Answers2

0

Hugo.

You can create an inbound rule in your vpc security group to allow remote connections to port 3306, which is used from mysql. In this way your users will bi able to access the mysql via mysql-client installed on their computers without the need to connect via ssh.

Ivan P
  • 364
  • Thank you for your answer. I want them to use SSH. Opening port 3306 is a dangerous solution. – Hugo Jun 29 '16 at 10:50
0

It's best to add a user with restricted privileges, see this post for more details.

On the other hand you can also limit his login shell, for example

useradd -s $(which mysql) whatshisname

This makes his default shell mysql

Community
  • 1
Alice
  • 16
  • Thank you. The post was interesting but dealing with sudoers permissions. Sorry Alice, I don't know how I could leverage the default shell options for my issue, could you tell me more? – Hugo Jun 29 '16 at 12:01
  • Hi hugo, may I ask why you need to make his login shell mysql only? a normal user has pretty limited privileges to begin with. – Alice Jun 29 '16 at 17:26
  • This was my initial thought as well, but the mysql UI allows the execution of arbitrary shell commands. – MAP Jun 29 '16 at 22:53