Default solutions for very limited remote linux shells
I have a user that needs to connect to a remote machine M (via ssh) and run one in a fixed set of commands (say N in total).
These commands rely on python, libraries thereof, and privileged access to the network (which machine M has).
Are there default strategies to limit the linux user shell only to the execution of these N commands, without any possibility of:
- further access to the fs
- reading the content of the commands themselves
- acquiring privileged access to the network
- and alike
In other words, what are default strategies to prompt a limited console to the user after they login, allowing, e.g., only numbers between 1 and N as inputs?
There is a neat trick in authorized_keys file, you can use command option to define command to be run on login, identified by a key, so if your N commands are static - they you can define them on the server and voila. It will not restrict the network, only launching the command. It will look something like that in authorized_keys file:
command = "date" ssh-rsa AAAA
You can find more information about this tutorial
To prevent the user from network access - you can use SELinux or other similar software, also you could write a eBPF hook to allow exactly what you want.