If a user has loginShell=/sbin/nologin is it still possible to
ssh <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="4f3a3c2a3d0f222e2c2726212a">[email protected]</a> [command]
assuming that the user has proper ssh keys in its home directory that can be used to authenticate?
My goal is to keep the user as a nologin, but still able to execute commands on a few other machines on the network (similar to its use through ‘sudo -u’), and am wondering if this is a reasonable course.
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Setting /sbin/nologin as the user’s shell (or /bin/false or /bin/true, which are almost equivalent) forbids the user from logging in to run any command whatsoever. SSH always invokes the user’s login shell to run commands, so you need to set the login shell to one that is able to run some commands.
There are several restricted shells that allow users to run only a few commands. For example rssh and scponly are both such shells that allow the user to run a few predefined commands (such as scp, sftp-server, rsync, …). See also Restrict user access in linux and Do you need a shell for SCP?
Method 2
It seem the answer is no.
ssh <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="d9acaabcab99b4b8bab1b0b7bc">[email protected]</a> [command]
with ssh keys in place only results in:
This account is currently not available
rather than the command executing, seems I’ll have to give it access to bash.
Method 3
Just need to put your command between quotes like:
ssh <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="592c2a3c2b1931362a2d3738343c">[email protected]</a> "your_command"
Method 4
I don’t know whether that is possible (should be easy to test though) but there is a feature which probably answers your question in a certain way and in any case solves your problem.
You can add a command to the key line in authorized_keys. In that case this command is executed, nothing else. I assume this works with /sbin/nologin as the shell should be ignored anyway.
But you would need a different key for every command you allow.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0