Я использую authorized_keys, чтобы ограничить используемые команды для пользователя. Владелец файла ~/.ssh и файла является корневым и имеет значение
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
Это работало довольно хорошо, пока я не обнаружил, что в какой-то момент пользователь может снова использовать все команды. Файл authorized_keys содержит:
command="mysql -u arg1 -p arg2",no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa public_key
Я не знаю, что я делаю не так, также я попробовал это в режиме отладки и проверил логи. Но он просто позволяет все команды.
Логин пользователя должен быть только паролем, поэтому без ключевой системы.
Debug-Log:
Connection from XX.XX.XX.XXX port 26048
debug1: Client protocol version 2.0; client software version PuTTY_Release_0.63
debug1: no match: PuTTY_Release_0.63
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
debug1: permanently_set_uid: 103/65534 [preauth]
debug1: list_hostkey_types: ssh-rsa,ssh-dss [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: client->server aes256-ctr hmac-sha2-256 none [preauth]
debug1: kex: server->client aes256-ctr hmac-sha2-256 none [preauth]
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received [preauth]
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth]
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth]
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user restricteduser service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: PAM: initializing for "restricteduser"
debug1: PAM: setting PAM_RHOST to "XXX.XXXX.XXXXXXXX.XX"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user restricteduser service ssh-connection method password [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: PAM: password authentication accepted for restricteduser
debug1: do_pam_account: called
Accepted password for restricteduser from XX.XX.XX.XXX port 26048 ssh2
debug1: monitor_read_log: child log fd closed
debug1: monitor_child_preauth: restricteduser has been authenticated by privileged process
debug1: PAM: establishing credentials
User child is on pid 24137
debug1: SELinux support disabled
debug1: PAM: establishing credentials
debug1: permanently_set_uid: 2001/2001
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 256 win 16384 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_new: session 0
debug1: SELinux support disabled
debug1: session_pty_req: session 0 alloc /dev/pts/11
debug1: server_input_channel_req: channel 0 request shell reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: Setting controlling tty using TIOCSCTTY.
debug1: server_input_channel_req: channel 0 request winadj@putty.projects.tartarus.org reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req winadj@putty.projects.tartarus.org
С уважением, ProcTrap