SSH minimal rights user - su only

Question

Possible Duplicate:
Creating a UNIX account which only executes one command

I am trying to setup a user account that only has as minimal rights as possible.

The user should be able to log in via SSH and then use the "su" command to get root access BUT nothing else.

Is this even possible? So no basic commands like "cd", "ls" or "mkdir" should be available! The user should only be able to see one empty folder and then be able to use the "su" command to get full system access of the real OS (if chroot is used to achieve this).

Any ideas how this could be achieved?

Thanks in advance!

What's the point of locking down anything if you hand over root? — jordanm, Jan 19 '13 at 19:34

score 5 · Accepted Answer · answered Jan 19 '13 at 19:46

5

I would suggest allowing to connect only via public key. Then you can connect that public key with your own command by supplying it in ~/.ssh/authorized_keys like that:

command="/path/to/mycommand" ssh-rsa ...

Whenever the user logs into that account with that key your command is executed instead of the usual shell. That command can for example be a shell script, or even just something like su -.

That should do what you asked for. - But please think again, it that is really what you want.

answered Jan 19 '13 at 19:46

michas

21,510

Thanks for your answer! Maybe I wrote my question a bit unclear. Your answer is a way in the right direction - but not quite what I had in mind. The point of this should be the following: I already changed the sshd_config file so that root is not able to log in via SSH - but sometimes I need root access over SSH, therefore I created a user that should only be able to log in via SSH and then use the su command to give me full access. This is the only user that can connect via SSH and this specific user should be able to do as less as possible. Is this possible - or is another approach better? – Walter Isaac Jan 19 '13 at 20:20
1

That is perfectly fine. You use ssh to log in as that specific user. If you set up ssh as described, ssh automatically runs su for you which asks you for the root password. There is no shell in between, therefore you cannot run anything else with this setup. – michas Jan 19 '13 at 20:27

SSH minimal rights user - su only

1 Answers1